CVE-2018-25210

HIGH

WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25210. PoCs published by AkkuS.

AI-analyzed exploit summary The exploit demonstrates SQL injection and XSS vulnerabilities in WebOfisi E-Ticaret V4. It includes multiple payloads for boolean-based blind, error-based, stacked queries, and time-based blind SQLi, as well as an XSS payload.

Description

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.

Exploits (1)

exploitdb WORKING POC

by AkkuS · textwebappsphp

https://www.exploit-db.com/exploits/45897

View Code ZIP pw:eip

The exploit demonstrates SQL injection and XSS vulnerabilities in WebOfisi E-Ticaret V4. It includes multiple payloads for boolean-based blind, error-based, stacked queries, and time-based blind SQLi, as well as an XSS payload.

Classification

Working Poc 95%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: WebOfisi E-Ticaret v4.0

No auth needed

Prerequisites: Access to the vulnerable web application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-45897

https://www.exploit-db.com/exploits/45897

Product product

Official Product Homepage

https://www.web-ofisi.com

Product product

Product Reference

https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing

Third Party Advisory third-party-advisory

VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter

https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter

Scores

CVSS v3 8.2

EPSS 0.0027

EPSS Percentile 18.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

web-ofisi/e-ticaret < 4.0.0

Web-Ofisi/Ticaret V4 4.0

Published Mar 26, 2026

Tracked Since Mar 26, 2026