Cyber Resilience

CVE-2023-39796

Critical

Published: 10 November 2023

Published
10 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7099 98.7th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39796 is a critical-severity SQL Injection (CWE-89) vulnerability in Wbce Wbce Cms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-39796 is a SQL injection vulnerability, tracked under CWE-89, that affects the miniform module in WBCE CMS version 1.6.0. The flaw resides in handling of the DB_RECORD_TABLE parameter and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

A remote unauthenticated attacker can supply a crafted DB_RECORD_TABLE value to trigger the injection, enabling execution of arbitrary code on the affected system. The attack requires no privileges and can be launched directly over the network.

The referenced WBCE forum thread and GitHub release notes for version 1.6.1 indicate that the issue is addressed by upgrading to that patched release.

EPSS for the CVE currently stands at 0.7099 after reaching a peak of 0.7953 on 2026-03-07.

EU & UK References

Vulnerability details

SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wbce
wbce cms
1.6.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References