WBCE CMS 1.6.3 Authenticated Remote Code Execution via Module Upload

Advisories

severity: high
date: December 11, 2025
Affecting: WBCE CMS 1.6.3
CVE: CVE-2025-34506
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-52132
WBCE CMS Homepage
WBCE CMS GitHub Repository
YouTube Demonstration
Swammers8 GitHub Repository
Credit: Swammers8
Description: WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.