CVE-2018-25201
Published: 26 March 2026
Summary
CVE-2018-25201 is a high-severity SQL Injection (CWE-89) vulnerability in Wecodex School Management System Cms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-25201 is an SQL injection vulnerability (CWE-89) affecting School Management System CMS 1.0, specifically in the admin login functionality. The flaw exists in the processlogin endpoint, where attackers can inject SQL code through the username parameter using boolean-based blind SQL injection techniques. This allows authentication bypass without valid credentials, earning a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
Attackers can exploit this vulnerability remotely over the network with low complexity and low privileges required. By submitting malicious payloads to the username field during admin login attempts, they can authenticate as an administrator, potentially gaining high-level confidentiality access to sensitive data and limited integrity modifications, while availability remains unaffected.
Advisories and further details on mitigation are available in referenced sources, including Exploit-DB (exploit 44727) and VulnCheck's advisory on the School Management System CMS admin login SQL injection. The WeCodex page provides additional context on the affected PHP/MySQL-based system. No specific patches are detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21661
Vulnerability details
School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques…
more
to the processlogin endpoint to authenticate as administrator without valid credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the admin login of a public-facing web application directly enables exploitation of a public-facing application for authentication bypass and unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation of the username input parameter before it is used in the admin login query.
SI-9 enforces restrictions on inputs at the login interface to block malicious SQL payloads in the username field.
SI-2 requires timely remediation of the specific SQL injection flaw in the processlogin endpoint to eliminate the authentication bypass vulnerability.