WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file.
References
| Link | Resource |
|---|---|
| https://wbce-cms.org/ | Product |
| https://www.exploit-db.com/exploits/51484 | Exploit Third Party Advisory VDB Entry |
| https://www.vulncheck.com/advisories/wbce-cms-svg-file-content-cross-site-scripting | Exploit Third Party Advisory |
| https://www.exploit-db.com/exploits/51484 | Exploit Third Party Advisory VDB Entry |
Configurations
History
27 Dec 2025, 17:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.vulncheck.com/advisories/wbce-cms-svg-file-content-cross-site-scripting - Exploit, Third Party Advisory |
24 Dec 2025, 18:07
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://wbce-cms.org/ - Product | |
| References | () https://www.exploit-db.com/exploits/51484 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://www.vulncheck.com/advisories/wbce-cms-svg-file-content-cross-site-scripting - Third Party Advisory, Exploit | |
| First Time |
Wbce
Wbce wbce Cms |
|
| CPE | cpe:2.3:a:wbce:wbce_cms:1.6.1:-:*:*:*:*:*:* |
18 Dec 2025, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.exploit-db.com/exploits/51484 - |
17 Dec 2025, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-17 23:15
Updated : 2025-12-27 17:15
NVD link : CVE-2023-53909
Mitre link : CVE-2023-53909
CVE.ORG link : CVE-2023-53909
JSON object : View
Products Affected
wbce
- wbce_cms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')