WBCE CMS has Weak Random Number Generator in Password Generation...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.

AI Analysis

WBCE CMS uses a weak random number generator for password creation, allowing password sequences to be predicted or brute-forced, potentially leading to user account compromise or privilege escalation.

Basic Information

ID CVE-2025-67504

Source GitHub_M

Published Dec 9, 2025 at 03:31

Affected Product

Vendor WBCE

Product WBCE_CMS

Version < 1.6.5

Affected Versions WBCE WBCE_CMS < 1.6.5

CWE Classification

CWE-331 CWE-338

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor WBCE

Product WBCE_CMS

Version 1.6.4 and below

References

{
    "lastseen": "",
    "description": "WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.",
    "published": "2025-12-09T03:31:17.723Z",
    "modified": "2025-12-09T03:31:17.723Z",
    "type": "cve",
    "title": "WBCE CMS has Weak Random Number Generator in Password Generation Function",
    "source": "GitHub_M",
    "references": "https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6\nhttps://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6\nhttps://cwe.mitre.org/data/definitions/338.html\nhttps://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5",
    "id": "CVE-2025-67504",
    "bulletinFamily": "",
    "cwe": [
        "CWE-331",
        "CWE-338"
    ],
    "cvelist": null,
    "sourceData": "WBCE WBCE_CMS < 1.6.5",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WBCE_CMS",
    "version": "< 1.6.5",
    "vendor": "WBCE",
    "ai_description": "WBCE CMS uses a weak random number generator for password creation, allowing password sequences to be predicted or brute-forced, potentially leading to user account compromise or privilege escalation.",
    "ai_severity": "Critical",
    "ai_vendor": "WBCE",
    "ai_product": "WBCE_CMS",
    "ai_version": "1.6.4 and below",
    "ai_score": 9.1
}

WBCE CMS has Weak Random Number Generator in Password Generation Function_CVE-2025-67504