CVE-2018-25188
Published: 06 March 2026
Summary
CVE-2018-25188 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-25188 is an SQL injection vulnerability (CWE-89) affecting Webiness Inventory version 2.3. The flaw resides in the WsModelGrid.php endpoint, where the order parameter fails to properly sanitize user input, allowing attackers to inject malicious SQL code. Published on 2026-03-06 with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), it enables high-impact confidentiality breaches with low integrity impact and no availability disruption.
Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the WsModelGrid.php endpoint with crafted SQL payloads in the order parameter. Successful exploitation allows execution of arbitrary SQL queries, permitting extraction of sensitive database information such as usernames, database names, and version details.
Advisories and references include a proof-of-concept exploit published on Exploit-DB (https://www.exploit-db.com/exploits/45843) and a detailed advisory from Vulncheck (https://www.vulncheck.com/advisories/webiness-inventory-sql-injection-via-wsmodelgridphp), which document the issue but do not specify patches or mitigations in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21641
Vulnerability details
Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract…
more
sensitive database information including usernames, databases, and version details.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (T1190) enables arbitrary database queries for sensitive data extraction (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of the unsanitized 'order' parameter in WsModelGrid.php to prevent SQL injection execution.
Requires timely identification, reporting, and correction of the SQL injection flaw in Webiness Inventory 2.3 to eliminate the vulnerability.
Enforces restrictions on information inputs at system boundaries to block malicious SQL payloads in POST requests to the vulnerable endpoint.