Exploit for Improper Authorization in Wbce Wbce_Cms CVE-2025-65094

Name: Exploit for Improper Authorization in Wbce Wbce_Cms CVE-2025-65094
Rating: 5 (80 reviews)

2026-04-11 | CVSS 8.8

## https://sploitus.com/exploit?id=A4CCC0F6-FE50-594E-8646-EF573BFFE4D7
# CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-65094 |
| **Vulnerability Type** | Privilege Escalation / IDOR |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but

## Affected Products

- **WBCE/WBCE_CMS**




## References

- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44
- https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.