Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Dec 9, 2025

WBCE CMS allows brute-force protection bypass using X-Forwarded-For header

CVE-2025-66204

Description

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying X-Forwarded-For on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the X-Forwarded-For header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Affected products

Wbce/Wbce CMSv5
Range: >= 1.6.4, < 1.6.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5mitrex_refsource_MISC
github.com/WBCE/WBCE_CMS/releases/tag/1.6.5mitrex_refsource_MISC
github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000