← Back
2026-03-26 11:39CVE-2018-25203VulnCheck
PUBLISHED5.2CWE-89

Online Store System CMS 1.0 SQL Injection via clientaccess

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.

Problem type

Affected products

Wecodex

Online Store System CMS

1.0 - AFFECTED

References

ExploitDB-44719

https://www.exploit-db.com/exploits/44719

exploit
Official Product Homepage

https://www.wecodex.com/item/view/online-store-system-in-php-and-mysql/3

product
VulnCheck Advisory: Online Store System CMS 1.0 SQL Injection via clientaccess

https://www.vulncheck.com/advisories/online-store-system-cms-sql-injection-via-clientaccess

third-party-advisory

GitHub Security Advisories

GHSA-4cp9-9rmg-ph8j

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated...

https://github.com/advisories/GHSA-4cp9-9rmg-ph8j

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2018-25203

exploit-db.com

https://www.exploit-db.com/exploits/44719

vulncheck.com

https://www.vulncheck.com/advisories/online-store-system-cms-sql-injection-via-clientaccess

wecodex.com

https://www.wecodex.com/item/view/online-store-system-in-php-and-mysql/3

github.com

https://github.com/advisories/GHSA-4cp9-9rmg-ph8j

JSON source

https://cveawg.mitre.org/api/cve/CVE-2018-25203
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2018-25203",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-03-26T15:02:07.192Z",
    "dateReserved": "2026-03-26T11:33:01.646Z",
    "datePublished": "2026-03-26T11:39:51.055Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-03-26T11:39:51.055Z"
      },
      "datePublic": "2018-05-23T00:00:00.000Z",
      "title": "Online Store System CMS 1.0 SQL Injection via clientaccess",
      "descriptions": [
        {
          "lang": "en",
          "value": "Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information."
        }
      ],
      "affected": [
        {
          "vendor": "Wecodex",
          "product": "Online Store System CMS",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44719",
          "name": "ExploitDB-44719",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.wecodex.com/item/view/online-store-system-in-php-and-mysql/3",
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/online-store-system-cms-sql-injection-via-clientaccess",
          "name": "VulnCheck Advisory: Online Store System CMS 1.0 SQL Injection via clientaccess",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Özkan Mustafa Akkuş (AkkuS)",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T15:02:07.192Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}