CVE-2018-25204
Published: 26 March 2026
Summary
CVE-2018-25204 is a high-severity SQL Injection (CWE-89) vulnerability in Wecodex Library Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2018-25204 is an SQL injection vulnerability (CWE-89) in Library CMS 1.0, a PHP and MySQL-based library management system. The flaw resides in the admin login endpoint, where the username parameter is vulnerable to injection of SQL code, enabling attackers to manipulate database queries.
Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in the username field. Successful exploitation allows bypassing authentication and gaining unauthorized access to the system. The CVSS v3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact with low integrity impact and no availability impact.
Advisories and additional details are provided in references including an exploit PoC at https://www.exploit-db.com/exploits/44728, a VulnCheck advisory at https://www.vulncheck.com/advisories/library-cms-sql-injection-via-admin-login, and the software source at https://www.wecodex.com/item/view/library-management-system-in-php-and-mysql/1.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21667
Vulnerability details
Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in…
more
the username field to manipulate database queries and gain unauthorized access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2018-25204 is an unauthenticated SQL injection in a public-facing web application's admin login endpoint, directly enabling exploitation of public-facing applications for authentication bypass and unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the username input parameter to block SQL injection payloads in admin login POST requests, preventing query manipulation and authentication bypass.
Mandates secure identification and authentication for users, addressing authentication bypass via SQL injection in the admin login endpoint.
Enforces logical access controls to mitigate unauthorized access gained by exploiting SQL injection to manipulate database queries during login.