## https://sploitus.com/exploit?id=PACKETSTORM:218769
# CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)
## Overview
| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-65094](https://nvd.nist.gov/vuln/detail/CVE-2025-65094) |
| **Severity** | HIGH |
| **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Affected Products
- **WBCE/WBCE_CMS**
## Details
### Summary
A low-privileged user in WBCE CMS can escalate their privileges to the **Administrators** group by manipulating the `groups[]` parameter in the `/admin/users/save.php` request.
The UI restricts users to assigning only their existing group, but **server-side validation is missing**, allowing attackers to overwrite their group membership and obtain full administrative access.
This results in a **complete compromise of the CMS**.
---
## Upstream Fix Confirmation
The project maintainers have remediated the issue in the following commit:
- **Commit:** `9604617`
- **Title:** *"changes in user management"*
- **Link:** https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
**Relevant commit message:**
> allow administrators only to assign users to any group; usual users may assign themselves and other users only to groups where they already belong to.
This directly addresses the improper access control in group assignment.
---
### Details
WBCE CMS uses **group permissions** to restrict access to administrative features.
A restricted group (`Users`) was created with the following permissions:
| Permission Category | Setting |
|--------------------|--------------------|
| Pages | View |
| Media | View |
| Add-ons | View |
| Settings | View |
| **Access โ Users** | **View + Modify** |
| **Access โ Groups**| **View** |
| Admin-Tools | *(none)* |
<img width="1243" height="1266" alt="image" src="https://github.com/user-attachments/assets/aaa4bb9e-becd-47bd-9c87-a0887e54924f" />
This setup ensures that low-privileged users:
- cannot create or edit other users (besides modifying their own profile),
- cannot manage groups,
- cannot install or modify modules,
- cannot access admin tools,
- cannot perform administrative actions.
Their only elevated permission is:
> **Users โ Modify**, intended solely for editing their own account.
---
### Vulnerable Behavior
When modifying their own profile via:
**Access โ Users โ Modify User**
the backend fails to validate whether the submitted `groups[]` value corresponds to allowed UI options.
An attacker can intercept and modify the request:
`groups[]=2` โ attacker changes to โ `groups[]=1`
This immediately assigns the user to the **Administrators** group.
### Affected Code Paths
(as confirmed by commit `9604617`)
The following files participate in group assignment but previously lacked proper authorization logic:
- `wbce/admin/users/index.php`
- `wbce/admin/users/users.php`
- `wbce/admin/users/save.php`
The fix introduces **server-side validation** that:
- Allows **administrators** to assign any group.
- Restricts **regular users** to groups they already belong to.
This confirms an **Improper Access Control / IDOR** vulnerability in the group assignment process.
---
## Proof of Concept (PoC)
### 1. Create a restricted group
Configure a group named **Users** with:
- Users โ Modify (enabled)
- All other permissions disabled
<img width="1243" height="1266" alt="image" src="https://github.com/user-attachments/assets/e9bd6cd7-e96c-4df2-904b-26d073abb9be" />
---
### 2. Create a low-privileged user
<img width="1567" height="908" alt="image" src="https://github.com/user-attachments/assets/c5acb1fb-c872-415f-8ac2-94b1921f47e1" />
---
### 3. Log in as the low-privileged user
Navigate to:
**Access โ Users โ Modify User**
<img width="1749" height="1020" alt="image" src="https://github.com/user-attachments/assets/35ffafac-d60e-42fc-a6be-5450821db003" />
Intercept the outgoing request using a proxy such as Burp Suite.
---
### 4. Modify the group assignment parameter
**Original request parameter:**
`groups%5B%5D=2`
**Modified request parameter:**
`groups%5B%5D=1`
Changing the parameter to `1` assigns the user to the **Administrators** group.
---
### 5. Forward the request
<img width="1920" height="676" alt="image" src="https://github.com/user-attachments/assets/ef980f1f-3650-4e7e-a67d-e95438584360" />
---
### 6. Administrative access obtained
After re-authentication, the user gains full access to administrative tools and features.
<img width="1355" height="781" alt="image" src="https://github.com/user-attachments/assets/cdd06bbd-a6c1-4b80-8050-a012354c9496" />
---
## Impact
This is a **privilege escalation vulnerability** that allows any low-privileged authenticated user to:
1. Escalate to the **Administrators** group
2. Gain full control of the CMS
3. Install arbitrary modules
4. Access all administrative tools
5. Potentially achieve **remote code execution** via malicious module upload
6. Modify or delete any content managed by the CMS
## References
- https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44
- https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.