Wbce
Products
1- 34 CVEs
Recent CVEs
34| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-2119 | Hig | 0.56 | 8.6 | 0.04 | Apr 28, 2017 | Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to read arbitrary files via unspecified vectors. | ||
| CVE-2017-2120 | Hig | 0.47 | 7.2 | 0.01 | Apr 28, 2017 | SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-2118 | Med | 0.40 | 6.1 | 0.01 | Apr 28, 2017 | Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2018-6313 | Med | 0.31 | 4.8 | 0.01 | Jan 25, 2018 | Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the Modify Page screen, a different issue than CVE-2017-2118. | ||
| CVE-2017-1000213 | Med | 0.31 | 4.8 | 0.01 | Nov 17, 2017 | WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search | ||
| CVE-2023-39796 | 0.06 | — | 0.06 | Nov 10, 2023 | SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter. | |||
| CVE-2021-3817 | 0.06 | — | 0.38 | Dec 9, 2021 | wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | |||
| CVE-2022-30073 | 0.01 | — | 0.02 | May 17, 2022 | WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php. | |||
| CVE-2022-50936 | 0.00 | — | 0.01 | Jan 13, 2026 | WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute… | |||
| CVE-2023-53910 | 0.00 | — | 0.00 | Dec 17, 2025 | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with… | |||
| CVE-2023-53909 | 0.00 | — | 0.00 | Dec 17, 2025 | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the… | |||
| CVE-2023-53901 | 0.00 | — | 0.00 | Dec 16, 2025 | WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image… | |||
| CVE-2025-34506 | 0.00 | — | 0.01 | Dec 11, 2025 | WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the… | |||
| CVE-2024-58283 | 0.00 | — | 0.01 | Dec 10, 2025 | WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and… | |||
| CVE-2025-65950 | 0.00 | — | 0.00 | Dec 10, 2025 | WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration,… | |||
| CVE-2025-67504 | 0.00 | — | 0.00 | Dec 9, 2025 | WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account… | |||
| CVE-2025-66204 | 0.00 | — | 0.00 | Dec 8, 2025 | WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all… | |||
| CVE-2025-65094 | 0.00 | — | 0.00 | Nov 19, 2025 | WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only… | |||
| CVE-2023-43871 | 0.00 | — | 0.00 | Sep 28, 2023 | A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS). | |||
| CVE-2023-38947 | 0.00 | — | 0.00 | Aug 3, 2023 | An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file. |
- risk 0.56cvss 8.6epss 0.04
Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to read arbitrary files via unspecified vectors.
- risk 0.47cvss 7.2epss 0.01
SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.31cvss 4.8epss 0.01
Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the Modify Page screen, a different issue than CVE-2017-2118.
- risk 0.31cvss 4.8epss 0.01
WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search
- CVE-2023-39796Nov 10, 2023risk 0.06cvss —epss 0.06
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
- CVE-2021-3817Dec 9, 2021risk 0.06cvss —epss 0.38
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- CVE-2022-30073May 17, 2022risk 0.01cvss —epss 0.02
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php.
- CVE-2022-50936Jan 13, 2026risk 0.00cvss —epss 0.01
WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute…
- CVE-2023-53910Dec 17, 2025risk 0.00cvss —epss 0.00
WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with…
- CVE-2023-53909Dec 17, 2025risk 0.00cvss —epss 0.00
WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the…
- CVE-2023-53901Dec 16, 2025risk 0.00cvss —epss 0.00
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image…
- CVE-2025-34506Dec 11, 2025risk 0.00cvss —epss 0.01
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the…
- CVE-2024-58283Dec 10, 2025risk 0.00cvss —epss 0.01
WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and…
- CVE-2025-65950Dec 10, 2025risk 0.00cvss —epss 0.00
WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration,…
- CVE-2025-67504Dec 9, 2025risk 0.00cvss —epss 0.00
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account…
- CVE-2025-66204Dec 8, 2025risk 0.00cvss —epss 0.00
WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all…
- CVE-2025-65094Nov 19, 2025risk 0.00cvss —epss 0.00
WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only…
- CVE-2023-43871Sep 28, 2023risk 0.00cvss —epss 0.00
A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).
- CVE-2023-38947Aug 3, 2023risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.