CVE-2025-34506

EUVD-2025-202933
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
wbcewbce_cms
𝑥
≤ 1.6.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
https://github.com/WBCE/WBCE_CMS
https://wbce-cms.org/
https://www.exploit-db.com/exploits/52132
https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload
https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e