CVE-2018-25207
Published: 26 March 2026
Summary
CVE-2018-25207 is a high-severity SQL Injection (CWE-89) vulnerability in Hscripts (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-25207 is a SQL injection vulnerability (CWE-89) affecting Online Quiz Maker 1.0, a PHP-based web application. The flaw resides in the catid and usern parameters, which fail to properly sanitize user input, enabling arbitrary SQL command execution. Vulnerable endpoints include quiz-system.php and add-category.php, where attackers can inject crafted payloads via POST requests. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low privileges required.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction. By submitting malicious POST requests containing SQL payloads to the affected parameters, they can execute arbitrary SQL commands, extract sensitive database information such as user credentials or quiz data, or bypass authentication mechanisms entirely.
Advisories and references, including a VulnCheck advisory on the catid parameter SQL injection and an Exploit-DB entry (45323) providing proof-of-concept exploits, document the issue but do not specify available patches or vendor mitigations. The original software is hosted on hscripts.com, with download links available, suggesting practitioners should avoid deploying version 1.0 and implement input validation or prepared statements in similar applications.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21673
Vulnerability details
Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters…
more
to extract sensitive database information or bypass authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible PHP web app directly enables remote exploitation of a public-facing application for data exfiltration and auth bypass.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of user inputs in parameters like catid and usern to block SQL injection payloads before they reach the database.
SI-2 requires identification, reporting, and correction of flaws like the SQL injection in quiz-system.php and add-category.php.
SI-9 enforces restrictions on POST parameters such as catid and usern at application boundaries to prevent malicious SQL payloads.