PatchSiren cyber security CVE debrief
CVE-2018-25389 Sitejo CVE debrief
CVE-2018-25389 documents an unauthenticated SQL injection vulnerability in HaPe PKH version 1.1, a PHP-based application. The flaw exists in the `lap-anggota-kelompok-pdf.php` endpoint, where user-supplied input via the `nama_kelompok` POST parameter is insufficiently sanitized before being incorporated into database queries. Attackers can inject time-based blind SQL payloads to infer and extract sensitive information from the backend database without direct error messages. The vulnerability carries a CVSS 4.0 base score of 8.8 (HIGH severity), reflecting network accessibility, low attack complexity, no required privileges, and high confidentiality impact. The CVE was published to NVD on May 29, 2026, with status marked as Deferred. Multiple source references confirm the issue, including an Exploit-DB entry and a dedicated VulnCheck advisory. The vendor attribution remains uncertain, with low-confidence evidence pointing to 'Sitejo' as a potential reference domain candidate. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Sitejo
- Product
- HaPe PKH
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running HaPe PKH 1.1 for community group management; security teams responsible for PHP application security; database administrators managing backends supporting this application; incident response teams monitoring for SQL injection exploitation patterns.
Technical summary
The vulnerability resides in improper sanitization of the `nama_kelompok` POST parameter within `lap-anggota-kelompok-pdf.php`. The application constructs SQL queries using string concatenation with attacker-controlled input, enabling injection of time-delay payloads. Successful exploitation allows inference of database structure and content through timing side channels without requiring authentication credentials or producing visible error messages.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the `nama_kelompok` parameter in `lap-anggota-kelompok-pdf.php`
- Implement prepared statements or stored procedures to eliminate SQL injection vectors
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting this endpoint
- Remove or restrict access to `lap-anggota-kelompok-pdf.php` if the functionality is not required
- Monitor application logs for anomalous time-delay patterns characteristic of time-based blind SQL injection attempts
- Review database user privileges to enforce least-privilege access, limiting impact of successful injection
- Consider upgrading to a patched version of HaPe PKH if available, or migrating to alternative maintained software
Evidence notes
Vulnerability confirmed through multiple independent sources: NVD entry with CVSS 4.0 vector, VulnCheck advisory specifically documenting the `nama_kelompok` parameter injection point, and Exploit-DB entry 45588 providing technical validation. The SourceForge reference indicates the affected software distribution channel. CWE-89 (SQL Injection) is the primary weakness classification.
Official resources
The vulnerability was disclosed via VulnCheck and subsequently indexed by NVD. Public exploitation details are available through Exploit-DB, increasing the risk of active scanning and exploitation against unpatched instances.