CVE

CVE-2025-65094

WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

CVE

CVE-2025-65094

WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.7

4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65094.json, https://github.com/WBCE/WBCECMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e, https://github.com/WBCE/WBCECMS/security/advisories/GHSA-hmmw-4ccm-fx44, https://nvd.nist.gov/vuln/detail/CVE-2025-65094

Severity

0

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00053%

EPSS Percentile

0.16867%

Introduced Version

Fix Available

15be89e102f1da4ac935e1d2b6af1dafa962a787

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-65094

CVE-2025-65094

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

0

Basic Information

Fix Critical Vulnerabilities Instantly