CVE-2025-15263
SQL Injection in BiggiDroid Simple PHP CMS Admin Login
Publication date: 2025-12-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| biggidroid | simple_php_cms | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15263 is a SQL injection vulnerability in BiggiDroid Simple PHP CMS version 1.0, specifically in the admin login functionality (/admin/login.php). It occurs because the username parameter is not properly sanitized, allowing attackers to inject malicious SQL code. This flaw lets attackers manipulate SQL queries remotely without authentication, potentially compromising the system's confidentiality, integrity, and availability. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication controls and gain unauthorized administrative access to the CMS. By exploiting the SQL injection, attackers can take full control of the admin panel, leading to unauthorized data access, data manipulation, and potentially complete system takeover. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable admin login page at /admin/login.php and testing the username parameter for SQL injection. One method is to use Google dorking with the query: inurl:admin/login.php to identify potentially vulnerable targets. Additionally, you can attempt to exploit the SQL injection by sending crafted input such as "' OR '1'='1'--" in the username or password fields to see if authentication is bypassed. Network monitoring tools can also look for suspicious login attempts with such payloads. [1]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known countermeasures or mitigations available for this vulnerability. The recommended immediate step is to replace the affected component, BiggiDroid Simple PHP CMS version 1.0, with an alternative product that does not contain this vulnerability. Avoid exposing the vulnerable admin login page to untrusted networks and monitor for suspicious login attempts. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in BiggiDroid Simple PHP CMS 1.0 allows unauthorized access to the admin panel and potential unauthorized data access or manipulation, impacting confidentiality, integrity, and availability of the system. Such a compromise can lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls. Therefore, this vulnerability negatively affects compliance by exposing sensitive data to unauthorized parties and undermining required security controls. [1, 2]