CVE-2023-39796
Published: 10 November 2023
Summary
CVE-2023-39796 is a critical-severity SQL Injection (CWE-89) vulnerability in Wbce Wbce Cms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-39796 is a SQL injection vulnerability, tracked under CWE-89, that affects the miniform module in WBCE CMS version 1.6.0. The flaw resides in handling of the DB_RECORD_TABLE parameter and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.
A remote unauthenticated attacker can supply a crafted DB_RECORD_TABLE value to trigger the injection, enabling execution of arbitrary code on the affected system. The attack requires no privileges and can be launched directly over the network.
The referenced WBCE forum thread and GitHub release notes for version 1.6.1 indicate that the issue is addressed by upgrading to that patched release.
EPSS for the CVE currently stands at 0.7099 after reaching a peak of 0.7953 on 2026-03-07.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-43496
Vulnerability details
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.