CVE-2025-67504
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WBCE | WBCE_CMS | < 1.6.5 | affected |
Weaknesses
- CWE-331: CWE-331: Insufficient Entropy
- CWE-338: CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6
- https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6
- https://cwe.mitre.org/data/definitions/338.html
- https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.