CVE-2025-66204

Summary

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying X-Forwarded-For on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the X-Forwarded-For header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Affected Software

VendorProductVersion RangeStatus
WBCEWBCE_CMS>= 1.6.4, < 1.6.5affected

Weaknesses

  • CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-693: CWE-693: Protection Mechanism Failure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References