CVE-2018-18486

CRITICAL

PHPSHE 1.7 - SQL Injection via admin.php user_id[] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18486. PoCs published by koyshe.

AI-analyzed exploit summary This is a technical writeup detailing SQL injection vulnerabilities in the phpshe CMS, specifically in the admin/user.php and other admin files. It includes code snippets, payload examples, and explanations of how the vulnerability can be exploited due to improper handling of array inputs.

Description

An issue was discovered in PHPSHE 1.7. SQL injection exists via the admin.php?mod=user&act=del user_id[] parameter.

Exploits (1)

gitee WRITEUP 48 stars

by koyshe · phpwriteup

https://gitee.com/koyshe/phpshe/issues/INPIT

View Code ZIP pw:eip

This is a technical writeup detailing SQL injection vulnerabilities in the phpshe CMS, specifically in the admin/user.php and other admin files. It includes code snippets, payload examples, and explanations of how the vulnerability can be exploited due to improper handling of array inputs.

Classification

Writeup 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: phpshe CMS

Auth required

Prerequisites: admin access to the target application · valid token for CSRF protection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://gitee.com/koyshe/phpshe/issues/INPIT

Scores

CVSS v3 9.8

EPSS 0.0114

EPSS Percentile 62.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

phpshe/phpshe 1.7

Published Oct 18, 2018

Tracked Since Feb 18, 2026