PatchSiren cyber security CVE debrief
CVE-2018-25413 Aiopmsd CVE debrief
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection vulnerability in the search.php endpoint. The 'q' parameter fails to properly sanitize user input, allowing remote attackers to inject arbitrary SQL commands via crafted GET requests. This vulnerability enables extraction of sensitive database information including usernames, database names, and version details without authentication. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges, and high confidentiality impact to the vulnerable component. The vendor attribution remains uncertain with low confidence based on reference domain analysis pointing to Exploit Db.
- Vendor
- Aiopmsd
- Product
- AiOPMSD Final
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-05-30
Who should care
Organizations running AiOPMSD Final 1.0.0; security teams managing legacy PHP applications; database administrators responsible for application backend security; incident response teams investigating potential data exfiltration from web application databases
Technical summary
The vulnerability exists in the search.php component of AiOPMSD Final 1.0.0 where the 'q' parameter accepts user-supplied input without adequate sanitization or parameterization before incorporation into SQL queries. Attackers can craft malicious GET requests to manipulate the query structure, enabling arbitrary SQL execution. The unauthenticated nature of the vulnerability combined with network accessibility and low attack complexity creates significant exposure for affected deployments. Successful exploitation yields high confidentiality impact through extraction of database metadata and contents.
Defensive priority
HIGH
Recommended defensive actions
- Implement parameterized queries or prepared statements for all database interactions in search.php, specifically for the 'q' parameter
- Apply input validation and sanitization on the 'q' parameter, rejecting unexpected characters and SQL metacharacters
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the search endpoint
- Remove or restrict access to search.php if the functionality is not required for business operations
- Review application logs for historical exploitation attempts involving the search.php endpoint and 'q' parameter
- Conduct code review of all database-interacting components in AiOPMSD Final 1.0.0 for similar injection vulnerabilities
- Consider upgrading to a maintained alternative to AiOPMSD Final 1.0.0 given the unpatched vulnerability status
Evidence notes
Vulnerability disclosed via [email protected] with references to SourceForge project pages, Exploit-DB entry 45690, and VulnCheck advisory. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. CWE-89 (SQL Injection) identified as primary weakness. NVD status: Received.
Official resources
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection vulnerability in the search.php endpoint. The 'q' parameter fails to properly sanitize user input, allowing remote attackers to inject arbitrary SQL commands via crafted GET.