CVE-2018-25185
Published: 26 March 2026
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2018-25185 is an SQL injection vulnerability (CWE-89) in Wecodex Restaurant CMS 1.0. The flaw resides in the login endpoint, where attackers can inject SQL code through the username parameter to manipulate database queries. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact. The vulnerability was published on 2026-03-26.
Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the login endpoint containing malicious SQL payloads. Exploitation relies on boolean-based blind or time-based blind SQL injection techniques, enabling the extraction of sensitive database information without requiring prior authentication or user interaction.
Advisories and exploit details are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/44730), VulnCheck (https://www.vulncheck.com/advisories/wecodex-restaurant-cms-sql-injection-via-login), and the vendor's product page (https://www.wecodex.com/item/view/restaurant-system-in-php-and-mysql/6). No specific patches or mitigation steps are detailed in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing login endpoint directly enables exploitation of public-facing applications (T1190) and extraction of sensitive data from databases via blind techniques (T1213.006).