9.4
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H
Description
WBCE CMS versions 1.6.4 and below suffer from a remote time-bsed SQL injection vulnerability via the groups parameter...
Basic Information
ID
PACKETSTORM:218758
Published
Apr 13, 2026 at 00:00
Affected Product
Affected Versions
# CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter
## Overview
| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-65950](https://nvd.nist.gov/vuln/detail/CVE-2025-65950) |
| **Severity** | CRITICAL |
| **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Affected Products
- **WBCE/WBCE_CMS**
## Details
### Summary
A critical SQL Injection vulnerability in the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls.
### Details
The vulnerability exists in the `admin/users/save.php` script, which handles updates to user profiles. The script improperly processes the `groups[]` parameter sent from the user edit form.
### PoC
The proof of concept involves using a time-based blind SQL injection to confirm arbitrary SQL execution.
1. **Prerequisites:**
* An authenticated user account belonging to a group with "Users - Modify" (`users_modify`) permissions. This user **does not** need to be a full administrator.
<img width="823" height="941" alt="image" src="https://github.com/user-attachments/assets/8b2085a6-df19-4d36-abf0-6c50466d462d" />
2. **Reproduction Steps:**
a. Log in as the low-privileged user.
b. Navigate to "Access" -> "Users" and select any user for modification.
<img width="1402" height="660" alt="image" src="https://github.com/user-attachments/assets/66ed918a-f47b-4ba4-bd44-340fcad5ad41" />
<img width="1434" height="702" alt="image" src="https://github.com/user-attachments/assets/24f3a85d-28a9-4c85-a3eb-5e1cf3a5ec3d" />
c. Capture the POST request sent to /wbce/admin/users/save.php when the "Save" button is clicked.
<img width="1073" height="731" alt="image" src="https://github.com/user-attachments/assets/bc88cf5d-c8ea-43ad-8197-36239f727b58" />
d. Edit `groups[]` parameter with the following URL-encoded payload, which will attempt to make the database wait for 10 seconds: groups%5B%5D=2%27+%2C+%60active%60+%3D+SLEEP(10)+--+
*(Decoded payload: 2' , `active` = SLEEP(10) -- )*
f. Send the modified request.
3. **Verification:**
<img width="1909" height="801" alt="image" src="https://github.com/user-attachments/assets/de9457e0-793b-4551-b59d-fe9341fce47c" />
**Data Exfiltration Example: Retrieving the Database Name**
**Example Payload to Test a Character:**
`groups%5B%5D=2%27+%2C+%60active%60+%3D+IF(SUBSTRING(DATABASE()%2C+1%2C+1)+%3D+%27w%27%2C+SLEEP(5)%2C+0)+--+`
This manual process can be continued to reveal the full database name and, subsequently, any other data in the database.
<img width="957" height="583" alt="image" src="https://github.com/user-attachments/assets/c1bacf39-d871-4004-ab6d-5d404901ff28" />
<img width="1910" height="801" alt="image" src="https://github.com/user-attachments/assets/3be4ab9d-75ce-4cbf-bc68-9ebbc5f92116" />
### Impact
A low-privileged user, who should only be able to make benign changes to user profiles, can gain full control over the database.
The impact includes, but is not limited to:
* Reading all data from any table, including session data, password hashes, and personal user information.
---
## References
- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3
- https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
- https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.
## Overview
| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-65950](https://nvd.nist.gov/vuln/detail/CVE-2025-65950) |
| **Severity** | CRITICAL |
| **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Affected Products
- **WBCE/WBCE_CMS**
## Details
### Summary
A critical SQL Injection vulnerability in the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls.
### Details
The vulnerability exists in the `admin/users/save.php` script, which handles updates to user profiles. The script improperly processes the `groups[]` parameter sent from the user edit form.
### PoC
The proof of concept involves using a time-based blind SQL injection to confirm arbitrary SQL execution.
1. **Prerequisites:**
* An authenticated user account belonging to a group with "Users - Modify" (`users_modify`) permissions. This user **does not** need to be a full administrator.
<img width="823" height="941" alt="image" src="https://github.com/user-attachments/assets/8b2085a6-df19-4d36-abf0-6c50466d462d" />
2. **Reproduction Steps:**
a. Log in as the low-privileged user.
b. Navigate to "Access" -> "Users" and select any user for modification.
<img width="1402" height="660" alt="image" src="https://github.com/user-attachments/assets/66ed918a-f47b-4ba4-bd44-340fcad5ad41" />
<img width="1434" height="702" alt="image" src="https://github.com/user-attachments/assets/24f3a85d-28a9-4c85-a3eb-5e1cf3a5ec3d" />
c. Capture the POST request sent to /wbce/admin/users/save.php when the "Save" button is clicked.
<img width="1073" height="731" alt="image" src="https://github.com/user-attachments/assets/bc88cf5d-c8ea-43ad-8197-36239f727b58" />
d. Edit `groups[]` parameter with the following URL-encoded payload, which will attempt to make the database wait for 10 seconds: groups%5B%5D=2%27+%2C+%60active%60+%3D+SLEEP(10)+--+
*(Decoded payload: 2' , `active` = SLEEP(10) -- )*
f. Send the modified request.
3. **Verification:**
<img width="1909" height="801" alt="image" src="https://github.com/user-attachments/assets/de9457e0-793b-4551-b59d-fe9341fce47c" />
**Data Exfiltration Example: Retrieving the Database Name**
**Example Payload to Test a Character:**
`groups%5B%5D=2%27+%2C+%60active%60+%3D+IF(SUBSTRING(DATABASE()%2C+1%2C+1)+%3D+%27w%27%2C+SLEEP(5)%2C+0)+--+`
This manual process can be continued to reveal the full database name and, subsequently, any other data in the database.
<img width="957" height="583" alt="image" src="https://github.com/user-attachments/assets/c1bacf39-d871-4004-ab6d-5d404901ff28" />
<img width="1910" height="801" alt="image" src="https://github.com/user-attachments/assets/3be4ab9d-75ce-4cbf-bc68-9ebbc5f92116" />
### Impact
A low-privileged user, who should only be able to make benign changes to user profiles, can gain full control over the database.
The impact includes, but is not limited to:
* Reading all data from any table, including session data, password hashes, and personal user information.
---
## References
- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3
- https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
- https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.