CVE-2025-66204

WBCE CMS version 1.6.4, a content management system, is affected by CVE-2025-66204, a brute-force protection bypass vulnerability mapped to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-693 (Protection Mechanism Failure). The flaw stems from the application's full trust in the X-Forwarded-For header without validation or restrictions, allowing attackers to reset the brute-force counter indefinitely by modifying this header on each request. This effectively disables all brute-force protections, enabling unlimited password guessing attempts.

The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation is possible over the network by unauthenticated remote attackers with no user interaction, though it requires high attack complexity. Attackers can achieve high impacts on confidentiality, integrity, and availability by bypassing rate limiting to brute-force credentials, potentially leading to unauthorized access to the CMS.

Mitigation is provided in WBCE CMS version 1.6.5, which addresses the issue. Security advisories detail the fix in GitHub advisory GHSA-f676-f375-m7mw, the release notes at github.com/WBCE/WBCE_CMS/releases/tag/1.6.5, and the specific commit 3765baddf27f31bbbea9c0228c452268621b25e5. Practitioners should upgrade immediately and review proxy configurations to avoid similar header trust issues.