← Back
2026-03-26 11:39CVE-2018-25201VulnCheck
PUBLISHED5.2CWE-89

School Management System CMS 1.0 Admin Login SQL Injection

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.

Problem type

Affected products

Wecodex Solutions

School Management System CMS

1.0 - AFFECTED

References

ExploitDB-44727

https://www.exploit-db.com/exploits/44727

exploit
Official Product Homepage

https://www.wecodex.com/item/view/school-management-system-in-php-and-mysql/5

product
VulnCheck Advisory: School Management System CMS 1.0 Admin Login SQL Injection

https://www.vulncheck.com/advisories/school-management-system-cms-admin-login-sql-injection

third-party-advisory

GitHub Security Advisories

GHSA-qxr5-86c9-g8f9

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login...

https://github.com/advisories/GHSA-qxr5-86c9-g8f9

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2018-25201

exploit-db.com

https://www.exploit-db.com/exploits/44727

vulncheck.com

https://www.vulncheck.com/advisories/school-management-system-cms-admin-login-sql-injection

wecodex.com

https://www.wecodex.com/item/view/school-management-system-in-php-and-mysql/5

github.com

https://github.com/advisories/GHSA-qxr5-86c9-g8f9

JSON source

https://cveawg.mitre.org/api/cve/CVE-2018-25201
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2018-25201",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-03-26T13:02:45.335Z",
    "dateReserved": "2026-03-26T11:32:22.689Z",
    "datePublished": "2026-03-26T11:39:49.622Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-03-26T11:39:49.622Z"
      },
      "title": "School Management System CMS 1.0 Admin Login SQL Injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials."
        }
      ],
      "affected": [
        {
          "vendor": "Wecodex Solutions",
          "product": "School Management System CMS",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44727",
          "name": "ExploitDB-44727",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.wecodex.com/item/view/school-management-system-in-php-and-mysql/5",
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/school-management-system-cms-admin-login-sql-injection",
          "name": "VulnCheck Advisory: School Management System CMS 1.0 Admin Login SQL Injection",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Özkan Mustafa Akkuş (AkkuS)",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T13:02:45.335Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}