CVE-2018-25197

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0012 30.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with option=com_playjoom&view=genre&catid=[SQL] to extract sensitive database information including usernames,…

databases, and version details.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires the system to validate and sanitize user inputs like the catid parameter, directly preventing SQL injection exploitation in PlayJoom.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in PlayJoom version 0.10.1.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls inspects and blocks malicious SQL payloads in unauthenticated GET requests to index.php.

Security SummaryAI

CVE-2018-25197 is an SQL injection vulnerability (CWE-89) affecting PlayJoom version 0.10.1. The issue arises in the catid parameter, which fails to properly sanitize user input, enabling attackers to inject and execute arbitrary SQL queries.

Unauthenticated remote attackers can exploit this vulnerability by sending GET requests to index.php?option=com_playjoom&view=genre&catid=[SQL payload]. Successful exploitation allows extraction of sensitive database information, including usernames, database names, and version details. The CVSS v3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), reflecting network accessibility, low complexity, high confidentiality impact, and low integrity impact with no availability disruption.

Advisories, including those from VulnCheck, describe the SQL injection via the catid parameter in PlayJoom. An exploit proof-of-concept is publicly available on Exploit-DB (ID 45803), illustrating the attack vector with specific payloads for data extraction.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (PlayJoom) enables unauthenticated remote exploitation (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/45803
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/playjoom-sql-injection-via-catid-parameter
disclosure@vulncheck.com