CVE-2018-25210

HighPublic PoC

Published: 26 March 2026

Published

26 March 2026

Modified

27 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0011 29.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25210 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Web-Ofisi E-Ticaret. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs such as the 'urun' GET parameter before processing database queries.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like the SQL injection vulnerability in the 'urun' parameter.

SI-11 Error Handling partial match

prevent

SI-11 mitigates error-based SQL injection attacks by handling error conditions without disclosing database structure or details through the 'urun' parameter.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in unauthenticated public-facing web endpoint directly enables remote exploitation of the application for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind,…

and stacked query attacks against the backend database.

Deeper analysisAI

CVE-2018-25210 is an SQL injection vulnerability in WebOfisi E-Ticaret 4.0, specifically in the 'urun' GET parameter of the affected endpoint. This flaw allows unauthenticated attackers to inject SQL payloads, enabling manipulation of backend database queries through techniques such as boolean-based blind, error-based, time-based blind, and stacked query attacks. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-79.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidential data via query manipulation, with low integrity impact but no availability disruption, potentially allowing extraction of sensitive information from the database.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter), an Exploit-DB entry (https://www.exploit-db.com/exploits/45897), a proof-of-concept file (https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing), and the vendor site (https://www.web-ofisi.com), provide details on the issue, though specific patch or mitigation instructions are outlined in those resources.