CVE-2025-66204HIGH 8.1EPSS p31.8%

CVE-2025-66204CVE-2025-66204

Description

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.40% probability of exploitation · percentile 31.8% · 2026-06-18T12:00:27Z
Published2025-12-09
Last modified2025-12-11

Underlying weaknesses· 2

CWE-307CWE-693

References

  1. https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5
  2. https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
  3. https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw
  4. https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw

2

TypeTargetConfidenceTier
WeaknessImproper Restriction of Excessive Authentication Attemptscwe-3070%live
WeaknessProtection Mechanism Failurecwe-6930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-67504
CVE
CVE-2025-65950
CVE
CVE-2025-65094
CVE
CVE-2025-34506
CVE
CVE-2025-65840
CVE
CVE-2025-69246
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.