{“lastseen”:”2026-04-13T15:48:35″,”description”:”WBCE CMS versions 1.6.4 and below suffer from a remote time-bsed SQL injection vulnerability via the groups parameter…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WBCE CMS 1.6.4 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218758″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65950″],”sourceData”:”# CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2025-65950](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-65950) |\\n | **Severity** | CRITICAL |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/WBCE\/WBCE_CMS\/security\/advisories\/GHSA-934v-xhx9-j2f3) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **WBCE\/WBCE_CMS**\\n \\n \\n \\n ## Details\\n \\n ### Summary\\n \\n A critical SQL Injection vulnerability in the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls.\\n \\n ### Details\\n \\n The vulnerability exists in the `admin\/users\/save.php` script, which handles updates to user profiles. The script improperly processes the `groups[]` parameter sent from the user edit form.\\n \\n ### PoC\\n \\n The proof of concept involves using a time-based blind SQL injection to confirm arbitrary SQL execution.\\n \\n 1. **Prerequisites:**\\n * An authenticated user account belonging to a group with \\”Users – Modify\\” (`users_modify`) permissions. This user **does not** need to be a full administrator.\\n \\n \\u003cimg width=\\”823\\” height=\\”941\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/8b2085a6-df19-4d36-abf0-6c50466d462d\\” \/\\u003e\\n \\n \\n 2. **Reproduction Steps:**\\n \\n a. Log in as the low-privileged user.\\n b. Navigate to \\”Access\\” -\\u003e \\”Users\\” and select any user for modification.\\n \\n \\u003cimg width=\\”1402\\” height=\\”660\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/66ed918a-f47b-4ba4-bd44-340fcad5ad41\\” \/\\u003e\\n \\u003cimg width=\\”1434\\” height=\\”702\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/24f3a85d-28a9-4c85-a3eb-5e1cf3a5ec3d\\” \/\\u003e\\n c. Capture the POST request sent to \/wbce\/admin\/users\/save.php when the \\”Save\\” button is clicked.\\n \\u003cimg width=\\”1073\\” height=\\”731\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/bc88cf5d-c8ea-43ad-8197-36239f727b58\\” \/\\u003e\\n \\n d. Edit `groups[]` parameter with the following URL-encoded payload, which will attempt to make the database wait for 10 seconds: groups%5B%5D=2%27+%2C+%60active%60+%3D+SLEEP(10)+–+\\n \\n *(Decoded payload: 2′ , `active` = SLEEP(10) — )*\\n \\n f. Send the modified request.\\n \\n 3. **Verification:**\\n \\n \\u003cimg width=\\”1909\\” height=\\”801\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/de9457e0-793b-4551-b59d-fe9341fce47c\\” \/\\u003e\\n \\n **Data Exfiltration Example: Retrieving the Database Name**\\n \\n **Example Payload to Test a Character:**\\n \\n `groups%5B%5D=2%27+%2C+%60active%60+%3D+IF(SUBSTRING(DATABASE()%2C+1%2C+1)+%3D+%27w%27%2C+SLEEP(5)%2C+0)+–+`\\n \\n This manual process can be continued to reveal the full database name and, subsequently, any other data in the database.\\n \\n \\u003cimg width=\\”957\\” height=\\”583\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/c1bacf39-d871-4004-ab6d-5d404901ff28\\” \/\\u003e\\n \\n \\u003cimg width=\\”1910\\” height=\\”801\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/3be4ab9d-75ce-4cbf-bc68-9ebbc5f92116\\” \/\\u003e\\n \\n \\n ### Impact\\n \\n A low-privileged user, who should only be able to make benign changes to user profiles, can gain full control over the database.\\n \\n The impact includes, but is not limited to:\\n * Reading all data from any table, including session data, password hashes, and personal user information.\\n —\\n \\n ## References\\n \\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/security\/advisories\/GHSA-934v-xhx9-j2f3\\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/commit\/96046178f4c80cf16f7c224054dec7fdadddda7e\\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/releases\/tag\/1.6.5\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218758″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218758\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:48:35″,”description”:”WBCE CMS versions 1.6.4 and below suffer from a remote time-bsed SQL injection vulnerability via the groups parameter…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WBCE CMS 1.6.4 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218758″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65950″],”sourceData”:”# CVE-2025-65950: WBCE…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,13,53,7,11,5],"class_list":["post-46312","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n