WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter
CVE-2025-65950

9.4CRITICAL

Key Information:

Vendor

Wbce

Status
Wbce Cms
Vendor
CVE Published:
10 December 2025

What is CVE-2025-65950?

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5.

Affected Version(s)

WBCE_CMS < 1.6.5

References

https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16...
x_refsource_MISC
https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-65950 : User Management Module Flaw in WBCE CMS by WBCE Vulnerable to SQL Injection