CVE-2018-25197
Published: 06 March 2026
Summary
CVE-2018-25197 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-25197 is an SQL injection vulnerability (CWE-89) affecting PlayJoom version 0.10.1. The issue arises in the catid parameter, which fails to properly sanitize user input, enabling attackers to inject and execute arbitrary SQL queries.
Unauthenticated remote attackers can exploit this vulnerability by sending GET requests to index.php?option=com_playjoom&view=genre&catid=[SQL payload]. Successful exploitation allows extraction of sensitive database information, including usernames, database names, and version details. The CVSS v3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), reflecting network accessibility, low complexity, high confidentiality impact, and low integrity impact with no availability disruption.
Advisories, including those from VulnCheck, describe the SQL injection via the catid parameter in PlayJoom. An exploit proof-of-concept is publicly available on Exploit-DB (ID 45803), illustrating the attack vector with specific payloads for data extraction.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21649
Vulnerability details
PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with option=com_playjoom&view=genre&catid=[SQL] to extract sensitive database information including usernames,…
more
databases, and version details.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (PlayJoom) enables unauthenticated remote exploitation (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires the system to validate and sanitize user inputs like the catid parameter, directly preventing SQL injection exploitation in PlayJoom.
Mandates identification, reporting, and correction of the specific SQL injection flaw in PlayJoom version 0.10.1.
Boundary protection with web application firewalls inspects and blocks malicious SQL payloads in unauthenticated GET requests to index.php.