Listen to this Post
The vulnerability CVE-2025-65950 in WBCE CMS versions 1.6.4 and below is a critical SQL injection flaw within the user management module. It allows any authenticated user with permissions to modify other user profiles to execute arbitrary SQL commands. The issue is specifically located in the `admin/users/save.php` script responsible for processing user profile updates. When a user edit form is submitted, the script receives input through the `groups[]` parameter, which is intended to assign user groups. This parameter is not properly sanitized or validated before being incorporated into an SQL query. An attacker can craft a malicious payload within the `groups[]` parameter to inject SQL code. This injected code is then executed directly against the application’s database. Due to the nature of the query and the attacker’s authenticated session, the injection can manipulate the underlying SQL statement structure. This vulnerability can be exploited to read, modify, or delete any data within the connected database. It enables full database compromise, including exfiltration of sensitive information like passwords, user details, and system settings. The flaw effectively bypasses the application’s security controls, granting the attacker privileges far beyond their intended role. The arbitrary SQL execution can also potentially be used to write files to the server or, in some configurations, achieve remote code execution. The attack requires no special user interaction and can be performed through standard web requests. The core failure is the lack of prepared statements or proper escaping for user-supplied data in the `groups[]` field. This missing security layer allows the input to be interpreted as part of the SQL command rather than as simple data. Consequently, a low-privileged user can escalate their access to full administrative control over the CMS database. The fixed version 1.6.5 addresses this by implementing proper parameterized queries or input sanitization for the affected parameter.
Platform: WBCE CMS
Version: 1.6.4 below
Vulnerability: SQL Injection
Severity: Critical
date: 10 Dec 2025
Prediction: Patched in 1.6.5
What Undercode Say:
Analytics
Bash Commands and Codes
Example curl command to test for the vulnerability by injecting into the 'groups[]' parameter curl -X POST 'http://target.site/admin/users/save.php' -d "id=2&groups[]=1' OR '1'='1"
// Hypothetical vulnerable code snippet from admin/users/save.php similar to the flaw
$user_groups = $_POST['groups']; // Unsanitized user input from the groups[] array
$user_id = $_POST['id'];
// The input is directly concatenated into the SQL query
$sql = "UPDATE users SET groups = '" . implode(",", $user_groups) . "' WHERE id = " . $user_id;
$result = mysqli_query($conn, $sql); // SQL Injection occurs here
how Exploit:
Protection from this CVE
Impact:
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

