CVE-2025-34506
Published: 11 December 2025
Summary
CVE-2025-34506 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wbce Wbce Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates contents of uploaded ZIP modules to block those embedding malicious PHP reverse shell code, directly mitigating the unrestricted file upload vulnerability.
Scans uploaded and installed modules for malicious code like PHP reverse shells, preventing or detecting execution upon installation.
Prohibits or approves administrator installation of unvetted CMS modules, restricting the upload and deployment of malicious ZIP files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated RCE via upload and auto-execution of malicious ZIP modules containing PHP code (T1190: Exploit Public-Facing Application) and facilitates deployment of web shells through install.php payloads that execute arbitrary commands (T1505.003: Web Shell).
NVD Description
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when…
more
the module is installed.
Deeper analysisAI
CVE-2025-34506 is an authenticated remote code execution vulnerability in WBCE CMS version 1.6.3 and prior, published on 2025-12-11. The issue, tied to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It enables administrators to upload malicious ZIP modules containing embedded PHP reverse shell code, which executes upon installation and grants remote system access.
Attackers require low-privilege authenticated access, specifically administrator credentials, to exploit the vulnerability over the network with no user interaction. By crafting a specially designed ZIP module and uploading it via the CMS module installation feature, the attacker achieves remote code execution. This results in high-impact compromise of confidentiality, integrity, and availability on the affected system.
Advisories and related resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload, Exploit-DB entry at https://www.exploit-db.com/exploits/52132, and proof-of-concept at https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE, document the issue but do not specify patches in the available details. The official WBCE CMS site at https://wbce-cms.org/ and GitHub repository at https://github.com/WBCE/WBCE_CMS should be consulted for any updates or mitigation guidance.
Details
- CWE(s)