← Back
2026-03-26 11:39CVE-2018-25195VulnCheck
PUBLISHED5.2CWE-89

Wecodex Hotel CMS 1.0 SQL Injection via Admin Login

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.

Problem type

Affected products

Wecodex

Wecodex Hotel CMS

1.0 - AFFECTED

References

ExploitDB-44729

https://www.exploit-db.com/exploits/44729

exploit
Official Product Homepage

https://www.wecodex.com/item/view/hotel-management-system-in-php-and-mysql/7

product
VulnCheck Advisory: Wecodex Hotel CMS 1.0 SQL Injection via Admin Login

https://www.vulncheck.com/advisories/wecodex-hotel-cms-sql-injection-via-admin-login

third-party-advisory

GitHub Security Advisories

GHSA-w7h7-95hx-jvj6

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality...

https://github.com/advisories/GHSA-w7h7-95hx-jvj6

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2018-25195

exploit-db.com

https://www.exploit-db.com/exploits/44729

vulncheck.com

https://www.vulncheck.com/advisories/wecodex-hotel-cms-sql-injection-via-admin-login

wecodex.com

https://www.wecodex.com/item/view/hotel-management-system-in-php-and-mysql/7

github.com

https://github.com/advisories/GHSA-w7h7-95hx-jvj6

JSON source

https://cveawg.mitre.org/api/cve/CVE-2018-25195
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2018-25195",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-03-26T11:39:48.998Z",
    "dateReserved": "2026-03-06T12:00:30.883Z",
    "datePublished": "2026-03-26T11:39:48.998Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-03-26T11:39:48.998Z"
      },
      "datePublic": "2018-05-23T00:00:00.000Z",
      "title": "Wecodex Hotel CMS 1.0 SQL Injection via Admin Login",
      "descriptions": [
        {
          "lang": "en",
          "value": "Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access."
        }
      ],
      "affected": [
        {
          "vendor": "Wecodex",
          "product": "Wecodex Hotel CMS",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44729",
          "name": "ExploitDB-44729",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.wecodex.com/item/view/hotel-management-system-in-php-and-mysql/7",
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/wecodex-hotel-cms-sql-injection-via-admin-login",
          "name": "VulnCheck Advisory: Wecodex Hotel CMS 1.0 SQL Injection via Admin Login",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Özkan Mustafa Akkuş (AkkuS)",
          "type": "finder"
        }
      ]
    }
  }
}