WBCE CMS Privilege Escalation Vulnerability in User Group Management

A privilege escalation vulnerability has been identified in WBCE CMS versions prior to 1.6.4. Low-privileged users can manipulate the groups[] parameter in the /admin/users/save.php request to assign themselves to the Administrators group. While the user interface restricts group assignments to those already held, the absence of server-side validation allows users to overwrite their group memberships. This flaw enables unauthorized users to gain full administrative access, compromising the entire content management system.

Impact

Exploitation of this vulnerability allows low-privileged users to escalate their privileges to the Administrators group, granting them complete control over the CMS. This includes the ability to install arbitrary modules, access all administrative tools, and potentially execute remote code through malicious module uploads. Additionally, users can modify or delete any content managed by the CMS.

Reproduction

To reproduce this vulnerability, create a restricted group named 'Users' with limited permissions, including 'Users → Modify'. Next, log in as a low-privileged user and navigate to 'Access → Users → Modify User'. Intercept the request using a proxy tool like Burp Suite and modify the groups[] parameter to assign the user to the Administrators group. Forward the request, and upon re-authentication, the user will have gained administrative access.

Remediation

Users can update to WBCE CMS version 1.6.4 or later, where this vulnerability has been patched.