CVE-2025-67504CRITICAL 9.8EPSS p35.3%

CVE-2025-67504CVE-2025-67504

Description

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 35.3% · 2026-06-19T12:03:05Z
Published2025-12-09
Last modified2025-12-11

Underlying weaknesses· 2

CWE-331CWE-338

References

  1. https://cwe.mitre.org/data/definitions/338.html
  2. https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6
  3. https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
  4. https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6
  5. https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6

2

TypeTargetConfidenceTier
WeaknessInsufficient Entropycwe-3310%live
WeaknessUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)cwe-3380%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65950
CVE
CVE-2025-34506
CVE
CVE-2025-66204
CVE
CVE-2025-65094
CVE
CVE-2025-60954
CVE
CVE-2025-13390
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.