CVE-2018-25429

HIGH

Paroiciel 11.20 - Authenticated SQL Injection via zProIdPro Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25429. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in Paroiciel 11.20 via three distinct endpoints (`trec.php`, `zpro.php`, `egeq.php`). The payloads use UNION-based SQLi to extract database information, including table and column names.

Description

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro parameter to extract sensitive database information including usernames, databases, and version details.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45810

The exploit demonstrates SQL injection vulnerabilities in Paroiciel 11.20 via three distinct endpoints (`trec.php`, `zpro.php`, `egeq.php`). The payloads use UNION-based SQLi to extract database information, including table and column names.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Paroiciel 11.20
Auth required
Prerequisites: valid session cookies (paroi6l_auth, PHPSESSID) · access to the target web application
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.1
EPSS 0.0027
EPSS Percentile 18.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Paroiciel/Paroiciel 11.20
Published Jun 01, 2026
Tracked Since Jun 02, 2026