Home > Vulnerability Database > CVE-2025-66204

Mend.io Vulnerability Database

CVE-2025-66204

Good to know:

Date: December 8, 2025

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying "X-Forwarded-For" on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the "X-Forwarded-For" header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Severity Score

8.1

Related Resources (5)

Url: https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5

Url: https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw

Url: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66204

Url: https://www.mend.io/vulnerability-database/CVE-2025-66204

Severity Score

8.1

Weakness Type (CWE)

Protection Mechanism Failure

CWE-693

Improper Restriction of Excessive Authentication Attempts

CWE-307

Top Fix

Upgrade Version

Upgrade to version https://github.com/WBCE/WBCE_CMS.git - 1.6.5

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66204

Good to know:

Date: December 8, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?