📄 WBCE CMS Privilege Escalation / Insecure Direct Object Reference

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

WBCE CMS versions prior to 1.6.4 suffers from insecure direct object reference and privilege escalation vulnerabilities...

Visit Original Source

Basic Information

ID PACKETSTORM:218769

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-65094](https://nvd.nist.gov/vuln/detail/CVE-2025-65094) |
| **Severity** | HIGH |
| **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **WBCE/WBCE_CMS**

## Details

### Summary
A low-privileged user in WBCE CMS can escalate their privileges to the **Administrators** group by manipulating the `groups[]` parameter in the `/admin/users/save.php` request.

The UI restricts users to assigning only their existing group, but **server-side validation is missing**, allowing attackers to overwrite their group membership and obtain full administrative access.

This results in a **complete compromise of the CMS**.

---

## Upstream Fix Confirmation

The project maintainers have remediated the issue in the following commit:

- **Commit:** `9604617`
- **Title:** *"changes in user management"*
- **Link:** https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e

**Relevant commit message:**

> allow administrators only to assign users to any group; usual users may assign themselves and other users only to groups where they already belong to.

This directly addresses the improper access control in group assignment.

---

### Details

WBCE CMS uses **group permissions** to restrict access to administrative features.
A restricted group (`Users`) was created with the following permissions:

| Permission Category | Setting |
|--------------------|--------------------|
| Pages | View |
| Media | View |
| Add-ons | View |
| Settings | View |
| **Access → Users** | **View + Modify** |
| **Access → Groups**| **View** |
| Admin-Tools | *(none)* |

<img width="1243" height="1266" alt="image" src="https://github.com/user-attachments/assets/aaa4bb9e-becd-47bd-9c87-a0887e54924f" />

This setup ensures that low-privileged users:

- cannot create or edit other users (besides modifying their own profile),
- cannot manage groups,
- cannot install or modify modules,
- cannot access admin tools,
- cannot perform administrative actions.

Their only elevated permission is:

> **Users → Modify**, intended solely for editing their own account.

---

### Vulnerable Behavior

When modifying their own profile via:

**Access → Users → Modify User**

the backend fails to validate whether the submitted `groups[]` value corresponds to allowed UI options.

An attacker can intercept and modify the request:

`groups[]=2` → attacker changes to → `groups[]=1`

This immediately assigns the user to the **Administrators** group.

### Affected Code Paths

(as confirmed by commit `9604617`)

The following files participate in group assignment but previously lacked proper authorization logic:

- `wbce/admin/users/index.php`
- `wbce/admin/users/users.php`
- `wbce/admin/users/save.php`

The fix introduces **server-side validation** that:

- Allows **administrators** to assign any group.
- Restricts **regular users** to groups they already belong to.

This confirms an **Improper Access Control / IDOR** vulnerability in the group assignment process.

---

## Proof of Concept (PoC)

### 1. Create a restricted group

Configure a group named **Users** with:

- Users → Modify (enabled)
- All other permissions disabled

<img width="1243" height="1266" alt="image" src="https://github.com/user-attachments/assets/e9bd6cd7-e96c-4df2-904b-26d073abb9be" />

---

### 2. Create a low-privileged user

<img width="1567" height="908" alt="image" src="https://github.com/user-attachments/assets/c5acb1fb-c872-415f-8ac2-94b1921f47e1" />

---

### 3. Log in as the low-privileged user

Navigate to:

**Access → Users → Modify User**

<img width="1749" height="1020" alt="image" src="https://github.com/user-attachments/assets/35ffafac-d60e-42fc-a6be-5450821db003" />

Intercept the outgoing request using a proxy such as Burp Suite.

---

### 4. Modify the group assignment parameter

**Original request parameter:**
`groups%5B%5D=2`

**Modified request parameter:**
`groups%5B%5D=1`

Changing the parameter to `1` assigns the user to the **Administrators** group.

---

### 5. Forward the request

<img width="1920" height="676" alt="image" src="https://github.com/user-attachments/assets/ef980f1f-3650-4e7e-a67d-e95438584360" />

---

### 6. Administrative access obtained

After re-authentication, the user gains full access to administrative tools and features.

<img width="1355" height="781" alt="image" src="https://github.com/user-attachments/assets/cdd06bbd-a6c1-4b80-8050-a012354c9496" />

---

## Impact

This is a **privilege escalation vulnerability** that allows any low-privileged authenticated user to:

1. Escalate to the **Administrators** group
2. Gain full control of the CMS
3. Install arbitrary modules
4. Access all administrative tools
5. Potentially achieve **remote code execution** via malicious module upload
6. Modify or delete any content managed by the CMS

## References

- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44
- https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T15:46:30",
    "description": "WBCE CMS versions prior to 1.6.4 suffers from insecure direct object reference and privilege escalation vulnerabilities...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WBCE CMS Privilege Escalation / Insecure Direct Object Reference",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218769",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-65094"
    ],
    "sourceData": "# CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2025-65094](https://nvd.nist.gov/vuln/detail/CVE-2025-65094) |\n    | **Severity** | HIGH |\n    | **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **WBCE/WBCE_CMS**\n    \n    \n    \n    ## Details\n    \n    ### Summary\n    A low-privileged user in WBCE CMS can escalate their privileges to the **Administrators** group by manipulating the `groups[]` parameter in the `/admin/users/save.php` request.\n    \n    The UI restricts users to assigning only their existing group, but **server-side validation is missing**, allowing attackers to overwrite their group membership and obtain full administrative access.\n    \n    This results in a **complete compromise of the CMS**.\n    \n    ---\n    \n    ## Upstream Fix Confirmation\n    \n    The project maintainers have remediated the issue in the following commit:\n    \n    - **Commit:** `9604617`  \n    - **Title:** *\"changes in user management\"*  \n    - **Link:** https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e\n    \n    **Relevant commit message:**\n    \n    > allow administrators only to assign users to any group; usual users may assign themselves and other users only to groups where they already belong to.\n    \n    This directly addresses the improper access control in group assignment.\n    \n    ---\n    \n    ### Details\n    \n    WBCE CMS uses **group permissions** to restrict access to administrative features.  \n    A restricted group (`Users`) was created with the following permissions:\n    \n    | Permission Category | Setting            |\n    |--------------------|--------------------|\n    | Pages              | View               |\n    | Media              | View               |\n    | Add-ons            | View               |\n    | Settings           | View               |\n    | **Access \u2192 Users** | **View + Modify**  |\n    | **Access \u2192 Groups**| **View**           |\n    | Admin-Tools        | *(none)*           |\n    \n    <img width=\"1243\" height=\"1266\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aaa4bb9e-becd-47bd-9c87-a0887e54924f\" />\n    \n    This setup ensures that low-privileged users:\n    \n    - cannot create or edit other users (besides modifying their own profile),\n    - cannot manage groups,\n    - cannot install or modify modules,\n    - cannot access admin tools,\n    - cannot perform administrative actions.\n    \n    Their only elevated permission is:\n    \n    > **Users \u2192 Modify**, intended solely for editing their own account.\n    \n    ---\n    \n    ### Vulnerable Behavior\n    \n    When modifying their own profile via:\n    \n    **Access \u2192 Users \u2192 Modify User**\n    \n    the backend fails to validate whether the submitted `groups[]` value corresponds to allowed UI options.\n    \n    An attacker can intercept and modify the request:\n    \n    `groups[]=2` \u2192 attacker changes to \u2192 `groups[]=1`\n    \n    This immediately assigns the user to the **Administrators** group.\n    \n    ### Affected Code Paths\n    \n    (as confirmed by commit `9604617`)\n    \n    The following files participate in group assignment but previously lacked proper authorization logic:\n    \n    - `wbce/admin/users/index.php`\n    - `wbce/admin/users/users.php`\n    - `wbce/admin/users/save.php`\n    \n    The fix introduces **server-side validation** that:\n    \n    - Allows **administrators** to assign any group.\n    - Restricts **regular users** to groups they already belong to.\n    \n    This confirms an **Improper Access Control / IDOR** vulnerability in the group assignment process.\n    \n    ---\n    \n    ## Proof of Concept (PoC)\n    \n    ### 1. Create a restricted group\n    \n    Configure a group named **Users** with:\n    \n    - Users \u2192 Modify (enabled)  \n    - All other permissions disabled  \n    \n    <img width=\"1243\" height=\"1266\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e9bd6cd7-e96c-4df2-904b-26d073abb9be\" />\n    \n    ---\n    \n    ### 2. Create a low-privileged user\n    \n    <img width=\"1567\" height=\"908\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c5acb1fb-c872-415f-8ac2-94b1921f47e1\" />\n    \n    ---\n    \n    ### 3. Log in as the low-privileged user\n    \n    Navigate to:\n    \n    **Access \u2192 Users \u2192 Modify User**\n    \n    <img width=\"1749\" height=\"1020\" alt=\"image\" src=\"https://github.com/user-attachments/assets/35ffafac-d60e-42fc-a6be-5450821db003\" />\n    \n    Intercept the outgoing request using a proxy such as Burp Suite.\n    \n    ---\n    \n    ### 4. Modify the group assignment parameter\n    \n    **Original request parameter:**  \n    `groups%5B%5D=2`\n    \n    **Modified request parameter:**  \n    `groups%5B%5D=1`\n    \n    Changing the parameter to `1` assigns the user to the **Administrators** group.\n    \n    ---\n    \n    ### 5. Forward the request\n    \n    <img width=\"1920\" height=\"676\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ef980f1f-3650-4e7e-a67d-e95438584360\" />\n    \n    ---\n    \n    ### 6. Administrative access obtained\n    \n    After re-authentication, the user gains full access to administrative tools and features.\n    \n    <img width=\"1355\" height=\"781\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cdd06bbd-a6c1-4b80-8050-a012354c9496\" />\n    \n    ---\n    \n    ## Impact\n    \n    This is a **privilege escalation vulnerability** that allows any low-privileged authenticated user to:\n    \n    1. Escalate to the **Administrators** group  \n    2. Gain full control of the CMS  \n    3. Install arbitrary modules  \n    4. Access all administrative tools  \n    5. Potentially achieve **remote code execution** via malicious module upload  \n    6. Modify or delete any content managed by the CMS\n    \n    ## References\n    \n    - https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44\n    - https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218769",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218769/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 WBCE CMS Privilege Escalation / Insecure Direct Object Reference_PACKETSTORM:218769

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply