PatchSiren cyber security CVE debrief
CVE-2018-25371 Moosocial CVE debrief
CVE-2018-25371 documents a blind SQL injection vulnerability in mooSocial Store Plugin version 2.6. The vulnerability exists in the product parameter used within URL rewrite functionality, allowing unauthenticated attackers to inject malicious SQL code. Successful exploitation enables database manipulation through boolean-based blind, time-based blind, or stacked query techniques, potentially leading to unauthorized extraction of sensitive information. The vulnerability carries a HIGH severity CVSS score of 8.8. The CVE record was published on May 25, 2026 and subsequently modified on May 26, 2026. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
- Vendor
- Moosocial
- Product
- mooSocial Store Plugin
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running mooSocial Store Plugin version 2.6, web application security teams, database administrators, and security operations centers monitoring for SQL injection attacks against social networking platforms.
Technical summary
The mooSocial Store Plugin 2.6 fails to properly sanitize user input in the product parameter used for URL rewriting. Unauthenticated attackers can inject SQL payloads that execute boolean-based blind, time-based blind, or stacked query attacks. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) reflects network accessibility, low attack complexity, no privileges required, high confidentiality impact, and low integrity impact.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor patches or updates for mooSocial Store Plugin if available
- Implement parameterized queries and prepared statements to prevent SQL injection
- Validate and sanitize all user-supplied input, particularly the product parameter in URL rewrite functionality
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts
- Review database access controls and apply principle of least privilege
- Monitor application logs for suspicious query patterns indicative of blind SQL injection attempts
- Conduct security assessment of URL rewrite functionality for additional injection vectors
Evidence notes
The CVE description and NVD metadata confirm blind SQL injection via the product parameter in URL rewrite functionality. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact.
Official resources
The vulnerability was disclosed through VulnCheck and is documented in the NVD with references to exploit-db and vendor resources.