Cyber Resilience

CVE-2018-25210

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25210 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Web-Ofisi E-Ticaret. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-25210 is an SQL injection vulnerability in WebOfisi E-Ticaret 4.0, specifically in the 'urun' GET parameter of the affected endpoint. This flaw allows unauthenticated attackers to inject SQL payloads, enabling manipulation of backend database queries through techniques such as boolean-based blind, error-based, time-based blind, and stacked query attacks. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-79.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidential data via query manipulation, with low integrity impact but no availability disruption, potentially allowing extraction of sensitive information from the database.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter), an Exploit-DB entry (https://www.exploit-db.com/exploits/45897), a proof-of-concept file (https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing), and the vendor site (https://www.web-ofisi.com), provide details on the issue, though specific patch or mitigation instructions are outlined in those resources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind,…

more

and stacked query attacks against the backend database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated public-facing web endpoint directly enables remote exploitation of the application for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25455Same product: Web-Ofisi E-Ticaret
CVE-2019-25461Same vendor: Web-Ofisi
CVE-2019-25457Same vendor: Web-Ofisi
CVE-2019-25458Same vendor: Web-Ofisi
CVE-2024-56060Shared CWE-79
CVE-2022-50908Shared CWE-79
CVE-2026-44669Shared CWE-79
CVE-2025-23882Shared CWE-79
CVE-2025-68501Shared CWE-79
CVE-2025-49043Shared CWE-79

Affected Assets

web-ofisi
e-ticaret
≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs such as the 'urun' GET parameter before processing database queries.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like the SQL injection vulnerability in the 'urun' parameter.

prevent

SI-11 mitigates error-based SQL injection attacks by handling error conditions without disclosing database structure or details through the 'urun' parameter.

References