CVE

CVE-2025-67504

WBCE CMS has Weak Random Number Generator in Password Generation Function

CVE

CVE-2025-67504

WBCE CMS has Weak Random Number Generator in Password Generation Function

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

9.1

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://cwe.mitre.org/data/definitions/338.html, https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67504.json, https://github.com/WBCE/WBCECMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6, https://github.com/WBCE/WBCECMS/releases/tag/1.6.5, https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6, https://nvd.nist.gov/vuln/detail/CVE-2025-67504

Severity

9.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.1

EPSS Probability

0.00063%

EPSS Percentile

0.19798%

Introduced Version

Fix Available

458d4385482770a7f6e77361e64265c1413b0c99

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-67504

CVE-2025-67504

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.1

Basic Information

Fix Critical Vulnerabilities Instantly