WBCE CMS 1.6.2 Remote Code Execution via Elfinder File Upload

Advisories

severity: high
date: December 10, 2025
Affecting: WBCE CMS 1.6.2
CVE: CVE-2024-58283
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-52039
WBCE CMS Homepage
WBCE CMS GitHub Repository
Credit: Ahmet Ümit BAYRAM
Description: WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.