CVE-2025-15004
SQL Injection in DedeCMS /freelist_main.php Allows Remote Exploit
Publication date: 2025-12-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dede | dedecms | 5.7.118 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15004 is a critical SQL injection vulnerability in DedeCMS versions up to 5.7.118, specifically in the administrator backend file `freelist_main.php`. The vulnerability arises because the `orderby` parameter is used directly in SQL queries without any sanitization, parameterization, or whitelist validation. Additionally, the backend configuration disables built-in SQL safety checks, removing protections against SQL injection patterns. This flaw allows authenticated administrators to perform time-based blind SQL injection attacks remotely by injecting malicious SQL code via the `orderby` parameter, enabling extraction of sensitive data from the database. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to complete database compromise, allowing attackers to execute arbitrary SQL commands. It enables theft of administrator credentials, user personal information, website configuration data, API keys, all CMS content, and database schema details. Attackers can escalate privileges, gain full CMS backend control, modify database content, maintain persistent access, and potentially deface the website. The vulnerability is remotely exploitable by authenticated administrators and has no rate limiting, facilitating automated data extraction and causing significant business impact including data exposure and reputational damage. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying requests to the vulnerable file `/freelist_main.php` that include the `orderby` parameter. Attackers may use SQL injection payloads or time-based blind SQL injection techniques involving MySQL functions like SLEEP() or BENCHMARK() in the `orderby` parameter. One detection method is to monitor HTTP requests for suspicious `orderby` parameter values containing SQL keywords or functions. Additionally, Google dorking with queries like `inurl:freelist_main.php` can help identify exposed vulnerable endpoints. Proof-of-concept exploits and scripts exist that send crafted GET/POST requests with malicious `orderby` values to test for SQL injection. For example, sending a request with `orderby=IF(1=1,SLEEP(5),aid)` and measuring response delay can indicate vulnerability. Network or application logs should be inspected for such anomalous requests. No specific built-in commands are provided, but custom scripts or tools that perform time-based blind SQL injection tests against the `orderby` parameter can be used. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement strict whitelist validation on the `orderby` parameter to allow only predefined safe column names such as 'aid', 'title', 'click', and 'edtime'. 2) Re-enable the SQL safety checks by setting `$dsql->safeCheck = TRUE` in the backend configuration file `dede/config.php` to restore the built-in `CheckSql()` function that blocks common SQL injection patterns. 3) Change all administrator passwords immediately and audit database logs for suspicious activity to limit potential damage. 4) Conduct a thorough code audit to identify and fix similar vulnerabilities. 5) Adopt parameterized queries or prepared statements to prevent SQL injection. 6) Employ Web Application Firewalls (WAF), input validation, output encoding, and least privilege principles for database accounts. These steps help prevent exploitation and reduce the risk of full database compromise. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to extract sensitive data such as administrator credentials, user personal information, website configuration data, API keys, and all CMS content through SQL injection. This exposure of personal and sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. The compromise of confidentiality, integrity, and availability of data due to this vulnerability poses significant compliance risks, including potential legal penalties and reputational damage. [2, 3]