CVE-2025-5149

Name of the Vulnerable Software and Affected Versions WCMS versions up to 8.3.11

Description A critical issue has been found in the Login component, specifically affecting the getMemberByUid function. The manipulation of the uid argument leads to improper authentication, allowing for remote attacks. The complexity of an attack is rather high, and the exploitation appears to be difficult. The issue has been publicly disclosed, and the vendor was contacted but did not respond.

Recommendations For WCMS versions up to 8.3.11, as a temporary workaround, consider disabling the getMemberByUid function until a patch is available. Restrict access to the /index.php?articleadmin/getallcon endpoint to minimize the risk of exploitation. Avoid using the uid argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.