Login Sign Up

CVE-2025-67504

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

WBCE CMS versions 1.6.4 and below use PHP's non-cryptographically secure rand() function to generate passwords, making them predictable. Attackers can brute-force or predict passwords for new accounts or password resets, potentially leading to account compromise or privilege escalation. All users running affected versions are vulnerable.

💻 Affected Systems

Products:
  • WBCE CMS
Versions: 1.6.4 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default installations when using password generation features.

📦 What is this software?

Wbce Cms by Wbce

View all CVEs affecting Wbce Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative takeover of the CMS, data exfiltration, website defacement, or ransomware deployment.

🟠

Likely Case

Compromise of user accounts created during the vulnerable period, leading to unauthorized content modifications or data access.

🟢

If Mitigated

Limited impact if strong password policies, multi-factor authentication, and monitoring are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to password generation or reset functionality, but the cryptographic weakness makes brute-forcing trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.5

Vendor Advisory: https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6

Restart Required: No

Instructions:

1. Backup your WBCE CMS installation and database. 2. Download version 1.6.5 from the official GitHub releases. 3. Replace all files with the new version, preserving configuration files. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable automatic password generation

all

Manually set strong passwords for all new accounts and password resets instead of using the vulnerable function.

🧯 If You Can't Patch

  • Force password resets for all accounts created or reset during the vulnerable period.
  • Implement strict monitoring for suspicious account activity and enable multi-factor authentication.

🔍 How to Verify

Check if Vulnerable:

Check the WBCE CMS version in the admin panel or by examining the /framework/CHANGELOG.md file.

Check Version:

grep -i 'version' /path/to/wbce/framework/CHANGELOG.md | head -1

Verify Fix Applied:

Confirm the version is 1.6.5 or higher and check that the GenerateRandomPassword() function in /framework/functions.php uses random_int() instead of rand().

📡 Detection & Monitoring

Log Indicators:

  • Unusual account creation spikes
  • Multiple failed login attempts from new accounts
  • Password reset requests for administrative accounts

Network Indicators:

  • Brute-force patterns against login or password reset endpoints

SIEM Query:

source="web_logs" (url="/admin/users/new" OR url="/password/reset") AND status=200 | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-67504
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-331
EPSS Score: 0.06% exploit probability (19.5th percentile)
Published: December 9, 2025
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67504, you might also want to check these:

CVE-2024-25730 9.8

This vulnerability allows attackers to easily guess the default pre-shared keys (PSKs) on Hitron COD...

Same vulnerability type (CWE-331)
CVE-2025-47781 9.8

CVE-2025-47781 allows unauthenticated attackers to brute-force 6-digit authentication tokens in Rall...

Same vulnerability type (CWE-331)
CVE-2021-33027 9.8

Sylabs Singularity Enterprise through version 1.6.2 uses insufficient entropy when generating nonces...

Same vulnerability type (CWE-331)