CVE-2018-25172

HIGH

Pedidos 1.0 - Unauthenticated SQL Injection via 'q' Parameter in load_proveedores.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25172. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Pedidos 1.0 via the 'q' parameter in 'load_proveedores.php'. The provided URL-encoded payload extracts schema information from the database, confirming the vulnerability.

Description

Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to the ajax/load_proveedores.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and table structures.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45856

This exploit demonstrates a SQL injection vulnerability in Pedidos 1.0 via the 'q' parameter in 'load_proveedores.php'. The provided URL-encoded payload extracts schema information from the database, confirming the vulnerability.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Pedidos 1.0
No auth needed
Prerequisites: network access to the target application
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45856

Scores

CVSS v3 8.2
EPSS 0.0029
EPSS Percentile 20.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Published Mar 06, 2026
Tracked Since Mar 06, 2026