PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25419 Aiopmsd CVE debrief

CVE-2018-25419 documents an unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0. The flaw resides in the genre parameter of genre.php, where attacker-controlled input is incorporated directly into SQL queries without adequate sanitization or parameterization. An unauthenticated remote attacker can send crafted GET requests to genre.php with malicious SQL payloads in the genre parameter, enabling arbitrary SQL query execution against the backend database. Successful exploitation can yield extraction of sensitive database information including usernames, database names, and version details. The vulnerability carries a HIGH severity CVSS score of 8.8. The CVE record was published on 2026-05-30 and subsequently modified on 2026-06-01. The NVD entry currently reflects a status of Deferred. No Known Exploited Vulnerabilities (KEV) catalog entry exists for this issue. Vendor attribution is classified as low-confidence based on reference domain inference, with the product identified as AiOPMSD Final 1.0.0 and the vendor currently marked as unknown pending review.

Vendor
Aiopmsd
Product
AiOPMSD Final
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-06-01
Advisory published
2026-05-30
Advisory updated
2026-06-01

Who should care

Organizations running AiOPMSD Final 1.0.0; security teams responsible for web application security; database administrators managing backends supporting PHP applications; incident response teams monitoring for unauthenticated web application attacks

Technical summary

The vulnerability exists in AiOPMSD Final 1.0.0 within the genre.php endpoint. The genre parameter accepts user input that is passed directly into SQL queries without proper sanitization or parameterization. An unauthenticated attacker can craft malicious GET requests containing SQL payloads in the genre parameter to execute arbitrary SQL commands. This enables extraction of sensitive database metadata including usernames, database names, and version information. The attack vector is network-accessible with low attack complexity and no privileges required.

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and sanitization to all user-supplied parameters, particularly the genre parameter in genre.php
  • Implement parameterized queries or prepared statements to eliminate SQL injection vectors
  • Restrict database account privileges to enforce least-privilege access for the application
  • Deploy Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting genre.php
  • Monitor access logs for anomalous GET requests to genre.php containing SQL metacharacters or UNION-based patterns
  • Review and remediate any additional endpoints in AiOPMSD Final that may share similar input handling patterns
  • If no patch is available from the vendor, consider removing or isolating the affected application from production networks

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed via VulnCheck advisory and Exploit-DB reference. CVSS 4.0 vector present in NVD metadata. Vendor attribution marked low-confidence with review flag set.

Official resources

Unauthenticated SQL injection in AiOPMSD Final 1.0.0 genre.php genre parameter