CVE-2018-25188

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0013 31.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract…

sensitive database information including usernames, databases, and version details.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of the unsanitized 'order' parameter in WsModelGrid.php to prevent SQL injection execution.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the SQL injection flaw in Webiness Inventory 2.3 to eliminate the vulnerability.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on information inputs at system boundaries to block malicious SQL payloads in POST requests to the vulnerable endpoint.

Security SummaryAI

CVE-2018-25188 is an SQL injection vulnerability (CWE-89) affecting Webiness Inventory version 2.3. The flaw resides in the WsModelGrid.php endpoint, where the order parameter fails to properly sanitize user input, allowing attackers to inject malicious SQL code. Published on 2026-03-06 with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), it enables high-impact confidentiality breaches with low integrity impact and no availability disruption.

Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the WsModelGrid.php endpoint with crafted SQL payloads in the order parameter. Successful exploitation allows execution of arbitrary SQL queries, permitting extraction of sensitive database information such as usernames, database names, and version details.

Advisories and references include a proof-of-concept exploit published on Exploit-DB (https://www.exploit-db.com/exploits/45843) and a detailed advisory from Vulncheck (https://www.vulncheck.com/advisories/webiness-inventory-sql-injection-via-wsmodelgridphp), which document the issue but do not specify patches or mitigations in the provided information.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (T1190) enables arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/45843
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/webiness-inventory-sql-injection-via-wsmodelgridphp
disclosure@vulncheck.com