CVE-2025-70397
SQL Injection in jizhicms 2.5.6 Article and Extmolds DeleteAll
Publication date: 2026-02-17
Last updated on: 2026-02-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jizhicms | jizhicms | 2.5.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70397 is a high-risk SQL injection vulnerability found in jizhicms version 2.5.6, specifically in the backend batch delete functionality within the Article/deleteAll and Extmolds/deleteAll endpoints.'}, {'type': 'paragraph', 'content': "The issue arises because the SQL query uses an integer context with an 'id in()' clause without proper quoting and relies on addslashes() for escaping, which only escapes single quotes and is ineffective here. This allows attackers to close the parentheses and inject arbitrary SQL statements."}, {'type': 'paragraph', 'content': 'Since the underlying database (PDO) supports stacked queries, attackers can execute multiple SQL commands in a single request, such as UPDATE, INSERT, or DELETE.'}, {'type': 'paragraph', 'content': "An attacker with normal administrator privileges can exploit this vulnerability to perform SQL injection via the batch delete feature, enabling them to modify the super administrator's password or perform other malicious database operations."}] [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Privilege escalation: Normal administrators can escalate their privileges by taking over super administrator accounts.
- Data leakage: Attackers can use time-based blind SQL injection techniques to extract sensitive database content.
- Data tampering: Arbitrary UPDATE, INSERT, or DELETE operations can be executed, allowing attackers to modify or delete data.
- Potential remote code execution: If the MySQL database has FILE privileges, attackers can write webshells to the server, leading to full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by intercepting and analyzing requests to the batch delete endpoint in jizhicms, specifically at /index.php/admins/Article/deleteAll.html. By modifying the data parameter in these requests, you can test for SQL injection vulnerabilities.'}, {'type': 'paragraph', 'content': 'Example curl commands can be used to detect the vulnerability by injecting SQL payloads and observing the response or behavior changes such as time delays.'}, {'type': 'list_item', 'content': 'Normal deletion test: curl -b "session=your_valid_session_cookie" -d "data=1" http://target/index.php/admins/Article/deleteAll.html'}, {'type': 'list_item', 'content': 'Time-based blind SQL injection test: curl -b "session=your_valid_session_cookie" -d "data=0) and sleep(5)-- -" http://target/index.php/admins/Article/deleteAll.html (observe if response delays by ~5 seconds)'}, {'type': 'list_item', 'content': 'Password modification test (proof of concept): curl -b "session=your_valid_session_cookie" -d "data=0);update jz_level set pass=0xHEX_ENCODED_HASH where id=1-- -" http://target/index.php/admins/Article/deleteAll.html'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable batch delete endpoints to trusted administrators only and monitoring for suspicious activity involving the data parameter.
Ensure that valid session cookies are protected and consider temporarily disabling the batch delete functionality until a patch or fix is applied.
Long term, update the application to a version where the SQL injection vulnerability is fixed by properly sanitizing inputs and using parameterized queries instead of relying on addslashes() and unsafe integer handling.