Cyber Posture

CVE-2025-34506

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0101 77.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when…

more

the module is installed.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates contents of uploaded ZIP modules to block those embedding malicious PHP reverse shell code, directly mitigating the unrestricted file upload vulnerability.

SI-3 Malicious Code Protection good match
preventdetect

Scans uploaded and installed modules for malicious code like PHP reverse shells, preventing or detecting execution upon installation.

CM-11 User-installed Software good match
prevent

Prohibits or approves administrator installation of unvetted CMS modules, restricting the upload and deployment of malicious ZIP files.

Security SummaryAI

CVE-2025-34506 is an authenticated remote code execution vulnerability in WBCE CMS version 1.6.3 and prior, published on 2025-12-11. The issue, tied to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It enables administrators to upload malicious ZIP modules containing embedded PHP reverse shell code, which executes upon installation and grants remote system access.

Attackers require low-privilege authenticated access, specifically administrator credentials, to exploit the vulnerability over the network with no user interaction. By crafting a specially designed ZIP module and uploading it via the CMS module installation feature, the attacker achieves remote code execution. This results in high-impact compromise of confidentiality, integrity, and availability on the affected system.

Advisories and related resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload, Exploit-DB entry at https://www.exploit-db.com/exploits/52132, and proof-of-concept at https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE, document the issue but do not specify patches in the available details. The official WBCE CMS site at https://wbce-cms.org/ and GitHub repository at https://github.com/WBCE/WBCE_CMS should be consulted for any updates or mitigation guidance.

Details

CWE(s)
CWE-434

Affected Products

wbce
wbce cms
≤ 1.6.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability enables authenticated RCE via upload and auto-execution of malicious ZIP modules containing PHP code (T1190: Exploit Public-Facing Application) and facilitates deployment of web shells through install.php payloads that execute arbitrary commands (T1505.003: Web Shell).

References