← Back
2026-03-26 11:39CVE-2018-25183VulnCheck
PUBLISHED5.2CWE-89

Shipping System CMS 1.0 SQL Injection via admin login

Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.

Problem type

Affected products

Wecodex

Shipping System CMS

1.0 - AFFECTED

References

ExploitDB-44722

https://www.exploit-db.com/exploits/44722

exploit
Official Product Homepage

https://www.wecodex.com/item/view/shipping-system-by-parcel-in-php-and-mysql/4

product
VulnCheck Advisory: Shipping System CMS 1.0 SQL Injection via admin login

https://www.vulncheck.com/advisories/shipping-system-cms-sql-injection-via-admin-login

third-party-advisory

GitHub Security Advisories

GHSA-p8gp-2v3x-m88h

Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated...

https://github.com/advisories/GHSA-p8gp-2v3x-m88h

Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2018-25183

exploit-db.com

https://www.exploit-db.com/exploits/44722

vulncheck.com

https://www.vulncheck.com/advisories/shipping-system-cms-sql-injection-via-admin-login

wecodex.com

https://www.wecodex.com/item/view/shipping-system-by-parcel-in-php-and-mysql/4

github.com

https://github.com/advisories/GHSA-p8gp-2v3x-m88h

JSON source

https://cveawg.mitre.org/api/cve/CVE-2018-25183
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2018-25183",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-03-26T18:44:34.674Z",
    "dateReserved": "2026-03-06T11:50:12.378Z",
    "datePublished": "2026-03-26T11:39:47.622Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-03-26T11:39:47.622Z"
      },
      "datePublic": "2018-05-23T00:00:00.000Z",
      "title": "Shipping System CMS 1.0 SQL Injection via admin login",
      "descriptions": [
        {
          "lang": "en",
          "value": "Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials."
        }
      ],
      "affected": [
        {
          "vendor": "Wecodex",
          "product": "Shipping System CMS",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44722",
          "name": "ExploitDB-44722",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.wecodex.com/item/view/shipping-system-by-parcel-in-php-and-mysql/4",
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/shipping-system-cms-sql-injection-via-admin-login",
          "name": "VulnCheck Advisory: Shipping System CMS 1.0 SQL Injection via admin login",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Özkan Mustafa Akkuş (AkkuS)",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T18:44:34.674Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}