Vulnerability Description
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wbce | Wbce Cms | < 1.6.5 |
Related Weaknesses (CWE)
References
- https://cwe.mitre.org/data/definitions/338.htmlTechnical Description
- https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6Patch
- https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5Release Notes
- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6ExploitVendor Advisory
- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6ExploitVendor Advisory
FAQ
What is CVE-2025-67504?
CVE-2025-67504 is a vulnerability with a CVSS score of 9.1 (CRITICAL). WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows pas...
How severe is CVE-2025-67504?
CVE-2025-67504 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-67504?
Check the references section above for vendor advisories and patch information. Affected products include: Wbce Wbce Cms.