{“lastseen”:”2026-04-13T15:46:30″,”description”:”WBCE CMS versions prior to 1.6.4 suffers from insecure direct object reference and privilege escalation vulnerabilities…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WBCE CMS Privilege Escalation \/ Insecure Direct Object Reference”,”source”:””,”references”:””,”id”:”PACKETSTORM:218769″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65094″],”sourceData”:”# CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2025-65094](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-65094) |\\n | **Severity** | HIGH |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/WBCE\/WBCE_CMS\/security\/advisories\/GHSA-hmmw-4ccm-fx44) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **WBCE\/WBCE_CMS**\\n \\n \\n \\n ## Details\\n \\n ### Summary\\n A low-privileged user in WBCE CMS can escalate their privileges to the **Administrators** group by manipulating the `groups[]` parameter in the `\/admin\/users\/save.php` request.\\n \\n The UI restricts users to assigning only their existing group, but **server-side validation is missing**, allowing attackers to overwrite their group membership and obtain full administrative access.\\n \\n This results in a **complete compromise of the CMS**.\\n \\n —\\n \\n ## Upstream Fix Confirmation\\n \\n The project maintainers have remediated the issue in the following commit:\\n \\n – **Commit:** `9604617` \\n – **Title:** *\\”changes in user management\\”* \\n – **Link:** https:\/\/github.com\/WBCE\/WBCE_CMS\/commit\/96046178f4c80cf16f7c224054dec7fdadddda7e\\n \\n **Relevant commit message:**\\n \\n \\u003e allow administrators only to assign users to any group; usual users may assign themselves and other users only to groups where they already belong to.\\n \\n This directly addresses the improper access control in group assignment.\\n \\n —\\n \\n ### Details\\n \\n WBCE CMS uses **group permissions** to restrict access to administrative features. \\n A restricted group (`Users`) was created with the following permissions:\\n \\n | Permission Category | Setting |\\n |——————–|——————–|\\n | Pages | View |\\n | Media | View |\\n | Add-ons | View |\\n | Settings | View |\\n | **Access \u2192 Users** | **View + Modify** |\\n | **Access \u2192 Groups**| **View** |\\n | Admin-Tools | *(none)* |\\n \\n \\u003cimg width=\\”1243\\” height=\\”1266\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/aaa4bb9e-becd-47bd-9c87-a0887e54924f\\” \/\\u003e\\n \\n This setup ensures that low-privileged users:\\n \\n – cannot create or edit other users (besides modifying their own profile),\\n – cannot manage groups,\\n – cannot install or modify modules,\\n – cannot access admin tools,\\n – cannot perform administrative actions.\\n \\n Their only elevated permission is:\\n \\n \\u003e **Users \u2192 Modify**, intended solely for editing their own account.\\n \\n —\\n \\n ### Vulnerable Behavior\\n \\n When modifying their own profile via:\\n \\n **Access \u2192 Users \u2192 Modify User**\\n \\n the backend fails to validate whether the submitted `groups[]` value corresponds to allowed UI options.\\n \\n An attacker can intercept and modify the request:\\n \\n `groups[]=2` \u2192 attacker changes to \u2192 `groups[]=1`\\n \\n This immediately assigns the user to the **Administrators** group.\\n \\n ### Affected Code Paths\\n \\n (as confirmed by commit `9604617`)\\n \\n The following files participate in group assignment but previously lacked proper authorization logic:\\n \\n – `wbce\/admin\/users\/index.php`\\n – `wbce\/admin\/users\/users.php`\\n – `wbce\/admin\/users\/save.php`\\n \\n The fix introduces **server-side validation** that:\\n \\n – Allows **administrators** to assign any group.\\n – Restricts **regular users** to groups they already belong to.\\n \\n This confirms an **Improper Access Control \/ IDOR** vulnerability in the group assignment process.\\n \\n —\\n \\n ## Proof of Concept (PoC)\\n \\n ### 1. Create a restricted group\\n \\n Configure a group named **Users** with:\\n \\n – Users \u2192 Modify (enabled) \\n – All other permissions disabled \\n \\n \\u003cimg width=\\”1243\\” height=\\”1266\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/e9bd6cd7-e96c-4df2-904b-26d073abb9be\\” \/\\u003e\\n \\n —\\n \\n ### 2. Create a low-privileged user\\n \\n \\u003cimg width=\\”1567\\” height=\\”908\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/c5acb1fb-c872-415f-8ac2-94b1921f47e1\\” \/\\u003e\\n \\n —\\n \\n ### 3. Log in as the low-privileged user\\n \\n Navigate to:\\n \\n **Access \u2192 Users \u2192 Modify User**\\n \\n \\u003cimg width=\\”1749\\” height=\\”1020\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/35ffafac-d60e-42fc-a6be-5450821db003\\” \/\\u003e\\n \\n Intercept the outgoing request using a proxy such as Burp Suite.\\n \\n —\\n \\n ### 4. Modify the group assignment parameter\\n \\n **Original request parameter:** \\n `groups%5B%5D=2`\\n \\n **Modified request parameter:** \\n `groups%5B%5D=1`\\n \\n Changing the parameter to `1` assigns the user to the **Administrators** group.\\n \\n —\\n \\n ### 5. Forward the request\\n \\n \\u003cimg width=\\”1920\\” height=\\”676\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/ef980f1f-3650-4e7e-a67d-e95438584360\\” \/\\u003e\\n \\n —\\n \\n ### 6. Administrative access obtained\\n \\n After re-authentication, the user gains full access to administrative tools and features.\\n \\n \\u003cimg width=\\”1355\\” height=\\”781\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/cdd06bbd-a6c1-4b80-8050-a012354c9496\\” \/\\u003e\\n \\n —\\n \\n ## Impact\\n \\n This is a **privilege escalation vulnerability** that allows any low-privileged authenticated user to:\\n \\n 1. Escalate to the **Administrators** group \\n 2. Gain full control of the CMS \\n 3. Install arbitrary modules \\n 4. Access all administrative tools \\n 5. Potentially achieve **remote code execution** via malicious module upload \\n 6. Modify or delete any content managed by the CMS\\n \\n ## References\\n \\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/security\/advisories\/GHSA-hmmw-4ccm-fx44\\n – https:\/\/github.com\/WBCE\/WBCE_CMS\/commit\/96046178f4c80cf16f7c224054dec7fdadddda7e\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218769″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218769\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:46:30″,”description”:”WBCE CMS versions prior to 1.6.4 suffers from insecure direct object reference and privilege escalation vulnerabilities…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WBCE CMS Privilege Escalation \/ Insecure Direct Object Reference”,”source”:””,”references”:””,”id”:”PACKETSTORM:218769″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-65094″],”sourceData”:”#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-46313","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n