CVE-2018-25185

Received Received - Intake

SQL Injection in Wecodex Restaurant CMS Allows Data Extraction

Publication date: 2026-03-26

Last updated on: 2026-03-27

Assigner: VulnCheck

Description

Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-26

Last Modified

2026-03-27

Generated

2026-06-16

AI Q&A

2026-03-26

EPSS Evaluated

2026-06-14

NVD

CVE-2018-25185

EUVD

EUVD-2018-21657

Affected Vendors & Products

Vendor	Product	Version / Range
wecodex	restaurant_cms	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2018-25185 is an SQL injection vulnerability in Wecodex Restaurant CMS version 1.0. It allows unauthenticated attackers to inject malicious SQL code through the username parameter in the login POST request. This happens because the application does not properly sanitize or parameterize the username input before including it in SQL queries.

Attackers can exploit this vulnerability using boolean-based blind SQL injection techniques, which infer information based on true or false conditions, or time-based blind SQL injection techniques, which use delays to confirm the presence of the vulnerability. These methods enable attackers to manipulate database queries and extract sensitive information from the backend database.

Impact Analysis

Exploitation of this SQL injection vulnerability can lead to unauthorized access to the administrative dashboard of the Wecodex Restaurant CMS. Attackers may gain access without authentication by manipulating the login process.

Additionally, attackers can extract sensitive database information, modify data, or further exploit underlying database vulnerabilities. This can result in data leakage, data integrity issues, and potential compromise of the entire backend system.

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the login endpoint that include malicious SQL payloads in the username parameter. Detection involves testing for SQL injection using boolean-based blind or time-based blind SQL injection techniques.

For example, you can test boolean-based blind SQL injection by sending a POST request with a payload like: username=admin" RLIKE (SELECT (CASE WHEN (7084=7084) THEN 0x61646d696e4061646d696e2e636f6d ELSE 0x28 END)) AND "eloY"="eloY". If the response differs based on the injected condition, the vulnerability is present.

Alternatively, time-based blind SQL injection can be tested by sending a payload such as: username=admin" AND (SELECT * FROM (SELECT(SLEEP(5)))lzxm) AND "vZea"="vZea". If the server response is delayed by the sleep time, it indicates the vulnerability.

These tests can be performed using tools like curl or specialized SQL injection testing tools on Kali Linux or similar environments.

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and sanitization on the username parameter in the login functionality to prevent SQL injection.

Use parameterized queries or prepared statements in the backend code to ensure that user input is not directly embedded into SQL queries.

Restrict access to the login endpoint and monitor for suspicious POST requests that may indicate exploitation attempts.

If possible, update or patch the Wecodex Restaurant CMS to a version that addresses this vulnerability or apply custom fixes to sanitize inputs.

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2018-25185 on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2018-25185. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2018-25185

SQL Injection in Wecodex Restaurant CMS Allows Data Extraction

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart