CVE-2022-50936
Authenticated Remote Code Execution via Droplet Upload in WBCE CMS
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wbce | cms | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50936 is an authenticated remote code execution vulnerability in WBCE CMS version 1.5.2. It allows attackers who have admin panel access to upload malicious 'droplets' (code snippets/plugins) via a specially crafted ZIP file. These droplets contain arbitrary PHP code that, once uploaded and embedded into the CMS pages, can be executed on the server, enabling the attacker to run arbitrary commands with the web server's privileges. [3, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the server hosting WBCE CMS. An attacker with valid admin credentials can upload and execute malicious PHP code, potentially leading to full system compromise, data theft, service disruption, or further attacks such as establishing reverse shells to maintain persistent access. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if WBCE CMS version 1.5.2 is in use and monitoring for suspicious authenticated uploads of ZIP files containing droplets via the admin panel. Since exploitation requires authenticated access and involves uploading a specially crafted ZIP file, network detection could focus on monitoring HTTP POST requests to the admin tools upload endpoints for unusual file uploads or unexpected admin panel activity. Specific commands are not provided in the resources, but general approaches include inspecting web server logs for POST requests to the droplet upload functionality and checking for creation of new pages or modifications in the CMS that include unexpected PHP code. Additionally, monitoring for reverse shell connections or unusual outbound connections from the web server could indicate exploitation. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading WBCE CMS from version 1.5.2 to a later, patched version such as 1.6.5 or newer, as available on the official WBCE CMS downloads page. Restricting administrative access to trusted users and enforcing strong authentication can reduce risk. Additionally, monitoring and restricting file upload capabilities in the admin panel, especially for ZIP files or droplets, can help prevent exploitation. Applying web application firewall (WAF) rules to detect and block malicious upload attempts and suspicious POST requests targeting the admin panel is also recommended. [2, 4]