CVE-2018-25429

Deferred Deferred - Pending Action

SQL Injection in Paroiciel 11.20 via zProIdPro Parameter

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulnCheck

Description

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro parameter to extract sensitive database information including usernames, databases, and version details.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-01

Last Modified

2026-06-01

Generated

2026-06-22

AI Q&A

2026-06-02

EPSS Evaluated

2026-06-21

NVD

CVE-2018-25429

EUVD

EUVD-2018-21950

Affected Vendors & Products

Vendor	Product	Version / Range
paroiciel	paroiciel	11.20

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2018-25429 is an SQL injection vulnerability found in Paroiciel version 11.20. It allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers exploit this by sending specially crafted GET requests to the zpro.php script with malicious SQL payloads embedded in the zProIdPro parameter.

This vulnerability enables attackers to extract sensitive information from the database, such as usernames, database names, and version details.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can retrieve usernames, database contents, and version information, potentially leading to further exploitation or data breaches.

Since the vulnerability requires authentication but has a low attack complexity and no user interaction, it can be exploited relatively easily by someone with valid credentials, increasing the risk of data exposure.

Compliance Impact

The SQL injection vulnerability in Paroiciel 11.20 allows attackers to extract sensitive database information such as usernames and database details. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

However, the provided information does not explicitly detail the impact on compliance with specific standards or regulations.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the zpro.php file, specifically looking for suspicious or crafted SQL payloads in the zProIdPro parameter.

You can use network traffic analysis tools or web server logs to identify such requests.

Use curl or wget to test the endpoint with a crafted SQL injection payload, for example: curl "http://target/zpro.php?zProIdPro=1' OR '1'='1"
Use grep or similar tools on web server logs to search for suspicious zProIdPro parameter values: grep "zProIdPro=" /var/log/apache2/access.log
Use intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect SQL injection attempts targeting the zProIdPro parameter.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable zpro.php endpoint to only trusted authenticated users, as the vulnerability requires authentication.

Additionally, input validation and parameterized queries should be implemented to prevent SQL injection via the zProIdPro parameter.

If possible, update or patch Paroiciel to a version that addresses this vulnerability.

Monitoring and blocking suspicious requests targeting the zProIdPro parameter using a WAF or IDS can also help mitigate exploitation attempts.

Hi! I’m here to help you understand CVE-2018-25429. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2018-25429

SQL Injection in Paroiciel 11.20 via zProIdPro Parameter

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart