CVE-2018-25195

HIGH

Wecodex Hotel CMS 1.0 SQL Injection via Admin Login

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25195. PoCs published by AkkuS.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Wecodex Hotel CMS 1.0's admin login functionality. It includes payloads for boolean-based blind and time-based blind SQL injection attacks.

Description

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.

Exploits (1)

exploitdb WORKING POC
by AkkuS · textwebappsphp
https://www.exploit-db.com/exploits/44729

This exploit demonstrates a SQL injection vulnerability in Wecodex Hotel CMS 1.0's admin login functionality. It includes payloads for boolean-based blind and time-based blind SQL injection attacks.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Wecodex Hotel CMS 1.0
No auth needed
Prerequisites: access to the admin login page
devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-44729
https://www.exploit-db.com/exploits/44729
Third Party Advisory third-party-advisory
VulnCheck Advisory: Wecodex Hotel CMS 1.0 SQL Injection via Admin Login
https://www.vulncheck.com/advisories/wecodex-hotel-cms-sql-injection-via-admin-login

Scores

CVSS v3 8.2
EPSS 0.0052
EPSS Percentile 39.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
wecodex/hotel_cms 1.0
Wecodex/Wecodex Hotel CMS 1.0
Published Mar 26, 2026
Tracked Since Mar 26, 2026