📄 WBCE CMS Privilege Escalation / Insecure Direct Object Reference

# CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-65094](https://nvd.nist.gov/vuln/detail/CVE-2025-65094) |
    | **Severity** | HIGH |
    | **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **WBCE/WBCE_CMS**
    
    
    
    ## Details
    
    ### Summary
    A low-privileged user in WBCE CMS can escalate their privileges to the **Administrators** group by manipulating the `groups[]` parameter in the `/admin/users/save.php` request.
    
    The UI restricts users to assigning only their existing group, but **server-side validation is missing**, allowing attackers to overwrite their group membership and obtain full administrative access.
    
    This results in a **complete compromise of the CMS**.
    
    ---
    
    ## Upstream Fix Confirmation
    
    The project maintainers have remediated the issue in the following commit:
    
    - **Commit:** `9604617`  
    - **Title:** *"changes in user management"*  
    - **Link:** https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
    
    **Relevant commit message:**
    
    > allow administrators only to assign users to any group; usual users may assign themselves and other users only to groups where they already belong to.
    
    This directly addresses the improper access control in group assignment.
    
    ---
    
    ### Details
    
    WBCE CMS uses **group permissions** to restrict access to administrative features.  
    A restricted group (`Users`) was created with the following permissions:
    
    | Permission Category | Setting            |
    |--------------------|--------------------|
    | Pages              | View               |
    | Media              | View               |
    | Add-ons            | View               |
    | Settings           | View               |
    | **Access → Users** | **View + Modify**  |
    | **Access → Groups**| **View**           |
    | Admin-Tools        | *(none)*           |
    
    <img width="1243" height="1266" alt="image" src="https://github.com/user-attachments/assets/aaa4bb9e-becd-47bd-9c87-a0887e54924f" />
    
    This setup ensures that low-privileged users:
    
    - cannot create or edit other users (besides modifying their own profile),
    - cannot manage groups,
    - cannot install or modify modules,
    - cannot access admin tools,
    - cannot perform administrative actions.
    
    Their only elevated permission is:
    
    > **Users → Modify**, intended solely for editing their own account.
    
    ---
    
    ### Vulnerable Behavior
    
    When modifying their own profile via:
    
    **Access → Users → Modify User**
    
    the backend fails to validate whether the submitted `groups[]` value corresponds to allowed UI options.
    
    An attacker can intercept and modify the request:
    
    `groups[]=2` → attacker changes to → `groups[]=1`
    
    This immediately assigns the user to the **Administrators** group.
    
    ### Affected Code Paths
    
    (as confirmed by commit `9604617`)
    
    The following files participate in group assignment but previously lacked proper authorization logic:
    
    - `wbce/admin/users/index.php`
    - `wbce/admin/users/users.php`
    - `wbce/admin/users/save.php`
    
    The fix introduces **server-side validation** that:
    
    - Allows **administrators** to assign any group.
    - Restricts **regular users** to groups they already belong to.
    
    This confirms an **Improper Access Control / IDOR** vulnerability in the group assignment process.
    
    ---
    
    ## Proof of Concept (PoC)
    
    ### 1. Create a restricted group
    
    Configure a group named **Users** with:
    
    - Users → Modify (enabled)  
    - All other permissions disabled  
    
    <img width="1243" height="1266" alt="image" src="https://github.com/user-attachments/assets/e9bd6cd7-e96c-4df2-904b-26d073abb9be" />
    
    ---
    
    ### 2. Create a low-privileged user
    
    <img width="1567" height="908" alt="image" src="https://github.com/user-attachments/assets/c5acb1fb-c872-415f-8ac2-94b1921f47e1" />
    
    ---
    
    ### 3. Log in as the low-privileged user
    
    Navigate to:
    
    **Access → Users → Modify User**
    
    <img width="1749" height="1020" alt="image" src="https://github.com/user-attachments/assets/35ffafac-d60e-42fc-a6be-5450821db003" />
    
    Intercept the outgoing request using a proxy such as Burp Suite.
    
    ---
    
    ### 4. Modify the group assignment parameter
    
    **Original request parameter:**  
    `groups%5B%5D=2`
    
    **Modified request parameter:**  
    `groups%5B%5D=1`
    
    Changing the parameter to `1` assigns the user to the **Administrators** group.
    
    ---
    
    ### 5. Forward the request
    
    <img width="1920" height="676" alt="image" src="https://github.com/user-attachments/assets/ef980f1f-3650-4e7e-a67d-e95438584360" />
    
    ---
    
    ### 6. Administrative access obtained
    
    After re-authentication, the user gains full access to administrative tools and features.
    
    <img width="1355" height="781" alt="image" src="https://github.com/user-attachments/assets/cdd06bbd-a6c1-4b80-8050-a012354c9496" />
    
    ---
    
    ## Impact
    
    This is a **privilege escalation vulnerability** that allows any low-privileged authenticated user to:
    
    1. Escalate to the **Administrators** group  
    2. Gain full control of the CMS  
    3. Install arbitrary modules  
    4. Access all administrative tools  
    5. Potentially achieve **remote code execution** via malicious module upload  
    6. Modify or delete any content managed by the CMS
    
    ## References
    
    - https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44
    - https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.