CVE-2018-25203

Received Received - Intake

SQL Injection in Online Store CMS 1.0 Enables Data Theft

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: VulnCheck

Description

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-26

Last Modified

2026-03-26

Generated

2026-06-16

AI Q&A

2026-03-26

EPSS Evaluated

2026-06-15

NVD

CVE-2018-25203

EUVD

EUVD-2018-21665

Affected Vendors & Products

Vendor	Product	Version / Range
wecodex	online_store_system_cms	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2018-25203 is an SQL injection vulnerability in Online Store System CMS version 1.0. It allows unauthenticated attackers to inject malicious SQL code through the "email" parameter in POST requests sent to index.php with the action=clientaccess parameter.

Attackers exploit this flaw using boolean-based blind or time-based blind SQL injection techniques to manipulate database queries and extract sensitive information from the backend database.

The vulnerability arises due to insufficient sanitization of user input before it is incorporated into SQL queries, specifically affecting the PHP-based dashboard component of the application.

Impact Analysis

This vulnerability can allow attackers to access or modify sensitive data stored in the application's database without any authentication or user interaction.

By exploiting the SQL injection, attackers can extract confidential information, potentially compromising user data and other sensitive business information.

Although the impact on data integrity and availability is low, the confidentiality impact is high, meaning sensitive data exposure is the primary risk.

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the endpoint index.php with the parameter action=clientaccess, specifically targeting the email parameter with SQL injection payloads.

Detection involves using boolean-based blind or time-based blind SQL injection techniques, such as MySQL RLIKE boolean-based blind injections or time delays using the SLEEP function.

For example, you can use curl commands to send POST requests with manipulated email parameters to test for SQL injection.

curl -X POST -d "action=clientaccess&email=' OR 1=1-- &password=test" http://target/demos/shop/index.php
curl -X POST -d "action=clientaccess&email=' OR IF(SLEEP(5),1,0)-- &password=test" http://target/demos/shop/index.php

If the server response time increases significantly or the response content changes based on these payloads, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the email parameter in the clientaccess action, to prevent SQL injection.

Use prepared statements or parameterized queries in the application code to safely handle database queries.

Restrict direct access to the vulnerable endpoint or implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting the email parameter.

Monitor logs for suspicious POST requests to index.php with action=clientaccess and unusual payloads in the email field.

If possible, update or patch the Online Store System CMS to a version that addresses this vulnerability.

Compliance Impact

The SQL injection vulnerability in Online Store System CMS 1.0 allows unauthenticated attackers to extract sensitive information from the backend database by manipulating SQL queries through the email parameter.

This exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access or disclosure.

Organizations using this vulnerable system may face risks of data breaches, potentially resulting in legal and regulatory consequences due to failure to safeguard sensitive customer data.

Hi! I’m here to help you understand CVE-2018-25203. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2018-25203

SQL Injection in Online Store CMS 1.0 Enables Data Theft

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart