216.73.217.176

CVE-2025-66204

· Published 09/12/2025 00:15 · Modified 11/12/2025 16:02

Labels: CVE-2025-66204 2025-12-09CVE-2025-66204CWE-307[email protected]

Essential information

Published
09/12/2025 00:15
Modified
11/12/2025 16:02
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wbce / wbce cms cpe:2.3:a:wbce:wbce_cms:*:*:*:*:*:*:*:*

References