{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25183", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-06T11:50:12.378Z", "datePublished": "2026-03-26T11:39:47.622Z", "dateUpdated": "2026-03-26T11:39:47.622Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:47.622Z"}, "datePublic": "2018-05-23T00:00:00.000Z", "title": "Shipping System CMS 1.0 SQL Injection via admin login", "descriptions": [{"lang": "en", "value": "Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Wecodex", "product": "Shipping System CMS", "versions": [{"version": "1.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/44722", "name": "ExploitDB-44722", "tags": ["exploit"]}, {"url": "https://www.wecodex.com/item/view/shipping-system-by-parcel-in-php-and-mysql/4", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: Shipping System CMS 1.0 SQL Injection via admin login", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/shipping-system-cms-sql-injection-via-admin-login"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials."}], "id": "CVE-2018-25183", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:03.197", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/44722"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/shipping-system-cms-sql-injection-via-admin-login"}, {"source": "disclosure@vulncheck.com", "url": "https://www.wecodex.com/item/view/shipping-system-by-parcel-in-php-and-mysql/4"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T13:25:11.668653+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011released patch for Shipping System CMS 1.0 that mitigates the SQL injection in the admin login.", "If a patch is not yet available, restrict administrative access by IP whitelisting or VPN only.", "Implement a web application firewall with SQL injection detection rules to block malicious payloads.", "Consider upgrading to a newer, supported version of the CMS when one becomes available."], "summary": {"action": "Patch ASAP", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Shipping System CMS version 1.0, developed by Wecodex. No other affected versions are listed. Only this product version should be checked for remediation.", "description_and_impact": "A false username field in the admin login form of Shipping System CMS 1.0 permits a malicious user to inject SQL code that bypasses authentication. By submitting carefully crafted boolean\u2011based blind SQL statements in the POST payload, an attacker can cause the authentication logic to succeed without valid credentials, effectively gaining administrative access. The weakness originates from insufficient input sanitization and is identified as CWE\u201189, a classic SQL injection vulnerability.", "risk_and_exploitability": "The CVSS score of 8.8 signals high severity and indicates that an unauthenticated attacker could cause a full compromise of the system. EPSS data is unavailable, so the exploitation probability is uncertain, but the lack of a KEV listing does not negate the risk. Attackers would need only access to the web application to deliver the injection payload to the admin login endpoint, making exploitation trivial for anyone with network visibility."}}}}, "created": "2026-03-26T13:54:49.750412+00:00", "updated": "2026-03-26T13:54:49.750436+00:00", "vendors": []}