CVE-2023-53910 – WBCE CMS 1.6.1 contains a stored cross-site scr... (How to Fix)

Q: What is the severity of CVE-2023-53910?

CVE-2023-53910 has a CVSS score of 5.4 (MEDIUM). WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into page content via the WYSIWYG editor. This can lead to session hijacking, credential theft, or defacement when other users view the compromised pages. Only WBCE CMS installations with version 1.6.1 are affected.

📋 TL;DR

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into page content via the WYSIWYG editor. This can lead to session hijacking, credential theft, or defacement when other users view the compromised pages. Only WBCE CMS installations with version 1.6.1 are affected.

💻 Affected Systems

Products:

WBCE CMS

Versions: 1.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with content editing permissions. The vulnerability exists in the WYSIWYG editor's save functionality.

📦 What is this software?

Wbce Cms by Wbce

View all CVEs affecting Wbce Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Authenticated attackers with content editing privileges inject malicious scripts to steal session cookies or credentials from other users viewing affected pages.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be sanitized before execution, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via POST requests to /wbce/modules/wysiwyg/save.php with malicious script content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.2 or later

Vendor Advisory: https://wbce-cms.org/

Restart Required: No

Instructions:

1. Backup your WBCE CMS installation and database. 2. Download the latest version from the official website. 3. Replace the affected files, particularly focusing on /modules/wysiwyg/save.php and related editor components. 4. Verify the update by checking the version in the admin panel.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML content before saving to database

Modify /wbce/modules/wysiwyg/save.php to include HTML sanitization library like HTMLPurifier

Content Security Policy

all

Implement CSP headers to restrict script execution sources

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

Restrict content editing permissions to trusted administrators only
Implement web application firewall rules to block POST requests containing script tags to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if version is 1.6.1 in admin panel or by examining /wbce/info.php. Test by attempting to save page content with <script>alert('test')</script> via the WYSIWYG editor.

Check Version:

Check admin panel dashboard or view /wbce/info.php in browser

Verify Fix Applied:

After patching, attempt the same XSS test. The script should be sanitized or blocked. Verify version shows 1.6.2 or later.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wbce/modules/wysiwyg/save.php containing script tags or JavaScript code
Unusual content updates from user accounts

Network Indicators:

HTTP POST requests to vulnerable endpoint with suspicious content parameters
Outbound connections to external domains from page views

SIEM Query:

source="web_server" AND (url_path="/wbce/modules/wysiwyg/save.php" AND method="POST" AND content="*<script>*")

📊 Metadata

CVE ID: CVE-2023-53910

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: December 17, 2025

Last Updated: December 27, 2025

🔗 References

https://wbce-cms.org/ Product
https://www.exploit-db.com/exploits/51484 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/wbce-cms-stored-cross-site-scripting-via-page-content Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/51484 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53910, you might also want to check these: