CVE-2025-67504
CRITICALWBCE CMS < 1.6.5 - Weak Password Generation via Insecure rand() Usage
Title source: llmDescription
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6
Patch x_refsource_misc
https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6
Technical Description x_refsource_misc
https://cwe.mitre.org/data/definitions/338.html
Release Notes x_refsource_misc
https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
Scores
CVSS v3
9.1
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-331
CWE-338
Status
published
Products (1)
wbce/wbce_cms
< 1.6.5
Published
Dec 09, 2025
Tracked Since
Feb 18, 2026