CVE-2024-58283

WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.

CVSS

No CVSS.

References

Link	Resource
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
https://wbce-cms.org/
https://www.exploit-db.com/exploits/52039
https://www.vulncheck.com/advisories/wbce-cms-remote-code-execution-via-elfinder-file-upload
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip

Configurations

No configuration.

History

11 Dec 2025, 19:15

Type	Values Removed	Values Added
References	~~() https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip -~~	() https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip -

10 Dec 2025, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-10 22:16

Updated : 2025-12-12 15:18

NVD link : CVE-2024-58283

Mitre link : CVE-2024-58283

CVE.ORG link : CVE-2024-58283

JSON object : View

Products Affected

No product.

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-58283", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-10T22:16:20.267", "references": [{"url": "https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip", "source": "disclosure@vulncheck.com"}, {"url": "https://wbce-cms.org/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/52039", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/wbce-cms-remote-code-execution-via-elfinder-file-upload", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter."}], "lastModified": "2025-12-12T15:18:13.390", "sourceIdentifier": "disclosure@vulncheck.com"}