CVE-2018-25341

HIGH

Smartshop 1 SQL Injection via product.php id Parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25341. PoCs published by L0RD.

AI-analyzed exploit summary This is a technical writeup detailing SQL injection vulnerabilities in Smartshop 1, specifically in category.php, product.php, and search.php. It includes vulnerable code snippets, payload examples, and parameter details for exploitation.

Description

Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to product.php with union-based SQL injection payloads in the id parameter to extract sensitive database information including usernames and database names.

Exploits (1)

exploitdb WRITEUP

by L0RD · textwebappsphp

https://www.exploit-db.com/exploits/44823

View Code ZIP pw:eip

This is a technical writeup detailing SQL injection vulnerabilities in Smartshop 1, specifically in category.php, product.php, and search.php. It includes vulnerable code snippets, payload examples, and parameter details for exploitation.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Smartshop 1

No auth needed

Prerequisites: access to vulnerable endpoints (category.php, product.php, search.php)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 24, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-44823

https://www.exploit-db.com/exploits/44823

Product product

Official Product Homepage

https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website

Product product

Product Reference

https://github.com/smakosh/Smartshop/archive/master.zip

Third Party Advisory third-party-advisory

VulnCheck Advisory: Smartshop 1 SQL Injection via product.php id Parameter

https://www.vulncheck.com/advisories/smartshop-1-sql-injection-via-product-php-id-parameter

Scores

CVSS v3 8.2

EPSS 0.0043

EPSS Percentile 34.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Behance/Smartshop 1.0

Published May 23, 2026

Tracked Since May 24, 2026