Cyber Resilience

CVE-2018-25201

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25201 is a high-severity SQL Injection (CWE-89) vulnerability in Wecodex School Management System Cms. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-25201 is an SQL injection vulnerability (CWE-89) affecting School Management System CMS 1.0, specifically in the admin login functionality. The flaw exists in the processlogin endpoint, where attackers can inject SQL code through the username parameter using boolean-based blind SQL injection techniques. This allows authentication bypass without valid credentials, earning a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

Attackers can exploit this vulnerability remotely over the network with low complexity and low privileges required. By submitting malicious payloads to the username field during admin login attempts, they can authenticate as an administrator, potentially gaining high-level confidentiality access to sensitive data and limited integrity modifications, while availability remains unaffected.

Advisories and further details on mitigation are available in referenced sources, including Exploit-DB (exploit 44727) and VulnCheck's advisory on the School Management System CMS admin login SQL injection. The WeCodex page provides additional context on the affected PHP/MySQL-based system. No specific patches are detailed in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques…

more

to the processlogin endpoint to authenticate as administrator without valid credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SQL injection vulnerability in the admin login of a public-facing web application directly enables exploitation of a public-facing application for authentication bypass and unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25204Same vendor: Wecodex
CVE-2018-25183Same vendor: Wecodex
CVE-2018-25195Same vendor: Wecodex
CVE-2018-25185Same vendor: Wecodex
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89

Affected Assets

wecodex
school management system cms
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation of the username input parameter before it is used in the admin login query.

prevent

SI-9 enforces restrictions on inputs at the login interface to block malicious SQL payloads in the username field.

prevent

SI-2 requires timely remediation of the specific SQL injection flaw in the processlogin endpoint to eliminate the authentication bypass vulnerability.

References