CVE-2025-66204

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WBCE CMS versions prior to 1.6.5

Description WBCE CMS is a content management system susceptible to a brute-force protection bypass. An attacker can reset the attempt counter by manipulating the X-Forwarded-For header with each request, enabling unlimited password guessing attempts. The application trusts the X-Forwarded-For header without validation or restriction. The vulnerable parameter is X-Forwarded-For.

Recommendations Update to WBCE CMS version 1.6.5 or later.

Exploit

Fix

Protection Mechanism Failure

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-307

Related Identifiers

CVE-2025-66204

GHSA-F676-F375-M7MW

Affected Products

Wbce Cms

CVE-2025-66204

Weakness Enumeration

Related Identifiers

Affected Products

References · 11