CVE-2025-67504 identifies a critical security vulnerability in WBCE CMS, a content management system widely used for website management. The vulnerability stems from the use of PHP's rand() function within the GenerateRandomPassword() method in versions 1.6.4 and earlier. The rand() function is not designed for cryptographic purposes and produces predictable pseudo-random numbers. Consequently, passwords generated by this function have low entropy and can be predicted or brute-forced by attackers. This weakness compromises the security of user accounts, especially those created with auto-generated passwords or those undergoing password resets. Exploiting this vulnerability requires no authentication or user interaction and can be performed remotely, increasing its risk profile. The vulnerability impacts confidentiality and integrity by enabling unauthorized access and privilege escalation, though it does not directly affect availability. The issue is resolved in WBCE CMS version 1.6.5, which replaces the insecure random number generation with a cryptographically secure alternative. Despite no known exploits in the wild at the time of publication, the high CVSS score of 9.1 reflects the critical nature of this flaw and the urgency for remediation.

For European organizations using WBCE CMS versions prior to 1.6.5, this vulnerability poses a severe risk of unauthorized account access and privilege escalation. Attackers can predict or brute-force passwords generated by the vulnerable function, potentially compromising administrative or user accounts. This can lead to data breaches, unauthorized content manipulation, and loss of trust from customers or users. Given the CMS's role in managing web content, exploitation could also facilitate further attacks such as website defacement, phishing, or malware distribution. The impact on confidentiality and integrity is high, while availability is less directly affected. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks and potential legal consequences if exploited. The vulnerability's ease of exploitation without authentication or user interaction further elevates the threat level.

European organizations should immediately upgrade WBCE CMS to version 1.6.5 or later, where the vulnerability is fixed. Until patching is possible, administrators should disable automatic password generation features or replace them with scripts using cryptographically secure random number generators, such as PHP's random_int() or openssl_random_pseudo_bytes(). Implement multi-factor authentication (MFA) to reduce the risk of compromised passwords leading to account takeover. Regularly audit user accounts for suspicious activity and enforce strong password policies requiring manual password creation or use of secure password managers. Monitor web server logs for unusual login attempts or brute-force patterns. Additionally, restrict access to password reset functionalities through rate limiting and CAPTCHA challenges to hinder automated attacks. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.