Platform
php
Component
wecodex-hotel-cms
Fixed in
1.0.1
CVE-2018-25195 describes a SQL injection vulnerability discovered in Wecodex Hotel CMS versions 1.0. This flaw allows unauthenticated attackers to bypass authentication and potentially gain unauthorized access to the system. The vulnerability lies within the admin login functionality and can be exploited by injecting malicious SQL code through the username parameter. A fix is available; upgrading is the recommended course of action.
The primary impact of CVE-2018-25195 is the ability for an attacker to bypass the authentication mechanism of the Wecodex Hotel CMS admin panel. By injecting carefully crafted SQL payloads into the username field during the login process, an attacker can manipulate database queries, potentially bypassing the need for valid credentials. This can lead to unauthorized access to sensitive data stored within the database, including user credentials, booking information, and potentially financial details. Successful exploitation could also allow an attacker to escalate privileges and gain administrative control over the entire CMS, enabling them to modify content, install malicious code, or even completely compromise the system. The blast radius extends to all data managed by the Hotel CMS.
CVE-2018-25195 was published on March 26, 2026. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that such exploits could be developed and shared. The SQL injection vulnerability is a well-understood attack vector, and similar vulnerabilities have been exploited in numerous real-world incidents.
Exploit Status
EPSS
0.40% (60% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2018-25195 is to upgrade Wecodex Hotel CMS to a patched version. Unfortunately, specific patched versions are not provided in the CVE data. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and sanitization on the username field. A Web Application Firewall (WAF) configured to detect and block SQL injection attempts targeting the login endpoint (index.php with action=processlogin) can also provide a layer of protection. Regularly review and audit database access logs for suspicious activity.
Update to a patched version or apply the security measures recommended by the vendor to mitigate the SQL injection (SQL Injection) vulnerability. It is recommended to contact the vendor for a specific patch or detailed instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2018-25195 is a SQL injection vulnerability in Wecodex Hotel CMS version 1.0 that allows attackers to bypass authentication and potentially gain unauthorized access to the system.
If you are using Wecodex Hotel CMS version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Wecodex Hotel CMS to a patched version. If upgrading is not immediately possible, implement temporary workarounds like input validation and a WAF.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Please refer to the Wecodex website or contact their support for the official advisory regarding CVE-2018-25195.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.