WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
References
| Link | Resource |
|---|---|
| https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE | Exploit Third Party Advisory |
| https://github.com/WBCE/WBCE_CMS | Product |
| https://wbce-cms.org/ | Product |
| https://www.exploit-db.com/exploits/52132 | Exploit Third Party Advisory VDB Entry |
| https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload | Third Party Advisory |
| https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e | Exploit |
Configurations
History
15 Dec 2025, 18:07
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wbce
Wbce wbce Cms |
|
| CPE | cpe:2.3:a:wbce:wbce_cms:*:*:*:*:*:*:*:* | |
| References | () https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE - Exploit, Third Party Advisory | |
| References | () https://github.com/WBCE/WBCE_CMS - Product | |
| References | () https://wbce-cms.org/ - Product | |
| References | () https://www.exploit-db.com/exploits/52132 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload - Third Party Advisory | |
| References | () https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e - Exploit | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
11 Dec 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-11 22:15
Updated : 2025-12-15 18:07
NVD link : CVE-2025-34506
Mitre link : CVE-2025-34506
CVE.ORG link : CVE-2025-34506
JSON object : View
Products Affected
wbce
- wbce_cms
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type