Login Sign Up

CVE-2023-53909

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability where authenticated users can upload malicious SVG files containing JavaScript. When victims access these uploaded files, the JavaScript executes in their browser context. This affects all WBCE CMS 1.6.1 installations with the media manager enabled.

💻 Affected Systems

Products:
  • WBCE CMS
Versions: 1.6.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the media manager functionality.

📦 What is this software?

Wbce Cms by Wbce

View all CVEs affecting Wbce Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers with authenticated access could compromise other user accounts, steal sensitive data, or modify website content.

🟢

If Mitigated

With proper input validation and content security policies, the impact is limited to potential data leakage from the victim's session.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access and knowledge of the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.2 or later

Vendor Advisory: https://wbce-cms.org/

Restart Required: No

Instructions:

1. Backup your WBCE CMS installation and database. 2. Download the latest version from wbce-cms.org. 3. Replace the existing installation files with the updated version. 4. Clear browser cache and test functionality.

🔧 Temporary Workarounds

Disable SVG uploads

all

Modify the media manager configuration to block SVG file uploads

Edit /wbce/modules/elfinder/ef/php/connector.wbce.php to remove 'image/svg+xml' from allowed MIME types

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

  • Restrict media manager access to trusted administrators only
  • Implement web application firewall rules to block malicious SVG uploads

🔍 How to Verify

Check if Vulnerable:

Check if you can upload an SVG file containing <script>alert('XSS')</script> to the media manager and execute it when accessed

Check Version:

Check /wbce/info.php or admin dashboard for version number

Verify Fix Applied:

Attempt to upload the same malicious SVG file after patching - it should be blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads to /wbce/modules/elfinder/ef/php/connector.wbce.php
  • Multiple failed upload attempts with script content

Network Indicators:

  • POST requests to connector.wbce.php with SVG content containing script tags

SIEM Query:

source="web_server" AND uri="/wbce/modules/elfinder/ef/php/connector.wbce.php" AND method="POST" AND content_type="image/svg+xml"

📊 Metadata

CVE ID: CVE-2023-53909
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: December 17, 2025
Last Updated: December 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53909, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)