CVE-2025-3800

Name of the Vulnerable Software and Affected Versions WCMS version 11

Description A critical vulnerability has been found in WCMS 11, affecting an unknown functionality of the file app/controllers/AnonymousController.php. The manipulation of the mobile phone argument leads to SQL injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Recommendations As a temporary workaround, consider disabling the functionality related to the mobile phone argument in the AnonymousController.php file until a patch is available. Restrict access to the vulnerable file app/controllers/AnonymousController.php to minimize the risk of exploitation. Avoid using the mobile phone parameter in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.