VYPR
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Dec 9, 2025

WBCE CMS allows brute-force protection bypass using X-Forwarded-For header

CVE-2025-66204

Description

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying X-Forwarded-For on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the X-Forwarded-For header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Wbce/Wbce CMSllm-fuzzy2 versions
    <=1.6.4+ 1 more
    • (no CPE)range: <=1.6.4
    • (no CPE)range: >= 1.6.4, < 1.6.5

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.