QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66204

Published: Dec 8, 2025

Modified: Dec 9, 2025

PUBLISHED

Description

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Vendor	Product	Versions
WBCE	WBCE_CMS	affected `>= 1.6.4, < 1.6.5`

Weaknesses (CWE)

References

https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw

x_refsource_CONFIRM

https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5

x_refsource_MISC

https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-66204 - Security Vulnerability | QwikSec