CVE-2025-15004
Unknown Unknown - Not Provided
SQL Injection in DedeCMS /freelist_main.php Allows Remote Exploit

Publication date: 2025-12-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15004
EUVD
EUVD-2025-204680
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dede dedecms 5.7.118
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15004 is a critical SQL injection vulnerability in DedeCMS versions up to 5.7.118, specifically in the administrator backend file `freelist_main.php`. The vulnerability arises because the `orderby` parameter is used directly in SQL queries without any sanitization, parameterization, or whitelist validation. Additionally, the backend configuration disables built-in SQL safety checks, removing protections against SQL injection patterns. This flaw allows authenticated administrators to perform time-based blind SQL injection attacks remotely by injecting malicious SQL code via the `orderby` parameter, enabling extraction of sensitive data from the database. [1, 2, 3]

Compliance Impact

The vulnerability allows attackers to extract sensitive data such as administrator credentials, user personal information, website configuration data, API keys, and all CMS content through SQL injection. This exposure of personal and sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. The compromise of confidentiality, integrity, and availability of data due to this vulnerability poses significant compliance risks, including potential legal penalties and reputational damage. [2, 3]

Impact Analysis

This vulnerability can lead to complete database compromise, allowing attackers to execute arbitrary SQL commands. It enables theft of administrator credentials, user personal information, website configuration data, API keys, all CMS content, and database schema details. Attackers can escalate privileges, gain full CMS backend control, modify database content, maintain persistent access, and potentially deface the website. The vulnerability is remotely exploitable by authenticated administrators and has no rate limiting, facilitating automated data extraction and causing significant business impact including data exposure and reputational damage. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by identifying requests to the vulnerable file `/freelist_main.php` that include the `orderby` parameter. Attackers may use SQL injection payloads or time-based blind SQL injection techniques involving MySQL functions like SLEEP() or BENCHMARK() in the `orderby` parameter. One detection method is to monitor HTTP requests for suspicious `orderby` parameter values containing SQL keywords or functions. Additionally, Google dorking with queries like `inurl:freelist_main.php` can help identify exposed vulnerable endpoints. Proof-of-concept exploits and scripts exist that send crafted GET/POST requests with malicious `orderby` values to test for SQL injection. For example, sending a request with `orderby=IF(1=1,SLEEP(5),aid)` and measuring response delay can indicate vulnerability. Network or application logs should be inspected for such anomalous requests. No specific built-in commands are provided, but custom scripts or tools that perform time-based blind SQL injection tests against the `orderby` parameter can be used. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Implement strict whitelist validation on the `orderby` parameter to allow only predefined safe column names such as 'aid', 'title', 'click', and 'edtime'. 2) Re-enable the SQL safety checks by setting `$dsql->safeCheck = TRUE` in the backend configuration file `dede/config.php` to restore the built-in `CheckSql()` function that blocks common SQL injection patterns. 3) Change all administrator passwords immediately and audit database logs for suspicious activity to limit potential damage. 4) Conduct a thorough code audit to identify and fix similar vulnerabilities. 5) Adopt parameterized queries or prepared statements to prevent SQL injection. 6) Employ Web Application Firewalls (WAF), input validation, output encoding, and least privilege principles for database accounts. These steps help prevent exploitation and reduce the risk of full database compromise. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart