CVE-2022-50936
Unknown Unknown - Not Provided
Authenticated Remote Code Execution via Droplet Upload in WBCE CMS

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50936
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wbce cms 1.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50936 is an authenticated remote code execution vulnerability in WBCE CMS version 1.5.2. It allows attackers who have admin panel access to upload malicious 'droplets' (code snippets/plugins) via a specially crafted ZIP file. These droplets contain arbitrary PHP code that, once uploaded and embedded into the CMS pages, can be executed on the server, enabling the attacker to run arbitrary commands with the web server's privileges. [3, 4]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the server hosting WBCE CMS. An attacker with valid admin credentials can upload and execute malicious PHP code, potentially leading to full system compromise, data theft, service disruption, or further attacks such as establishing reverse shells to maintain persistent access. [3, 4]

Detection Guidance

Detection of this vulnerability involves verifying if WBCE CMS version 1.5.2 is in use and monitoring for suspicious authenticated uploads of ZIP files containing droplets via the admin panel. Since exploitation requires authenticated access and involves uploading a specially crafted ZIP file, network detection could focus on monitoring HTTP POST requests to the admin tools upload endpoints for unusual file uploads or unexpected admin panel activity. Specific commands are not provided in the resources, but general approaches include inspecting web server logs for POST requests to the droplet upload functionality and checking for creation of new pages or modifications in the CMS that include unexpected PHP code. Additionally, monitoring for reverse shell connections or unusual outbound connections from the web server could indicate exploitation. [3, 4]

Mitigation Strategies

Immediate mitigation steps include upgrading WBCE CMS from version 1.5.2 to a later, patched version such as 1.6.5 or newer, as available on the official WBCE CMS downloads page. Restricting administrative access to trusted users and enforcing strong authentication can reduce risk. Additionally, monitoring and restricting file upload capabilities in the admin panel, especially for ZIP files or droplets, can help prevent exploitation. Applying web application firewall (WAF) rules to detect and block malicious upload attempts and suspicious POST requests targeting the admin panel is also recommended. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart