Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Dec 9, 2025
WBCE CMS allows brute-force protection bypass using X-Forwarded-For header
CVE-2025-66204
Description
WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying X-Forwarded-For on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the X-Forwarded-For header without validating it or restricting its usage. This issue is fixed in version 1.6.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5mitrex_refsource_MISC
- github.com/WBCE/WBCE_CMS/releases/tag/1.6.5mitrex_refsource_MISC
- github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.