CVE-2025-66204 MEDIUM

CVE-2025-66204: WBCE CMS allows brute-force protection bypass using X-Forwarded-For header

Vendor Wbce
Product WBCE_CMS
Weakness CWE-307 · Brute force
Published December 8, 2025
Last update December 9, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Key dates

02Disclosure timeline

December 8, 2025 CVE published
December 9, 2025 Record updated