PatchSiren cyber security CVE debrief
CVE-2018-25390 Sitejo CVE debrief
CVE-2018-25390 documents an SQL injection vulnerability in HaPe PKH 1.1, a software project distributed via SourceForge. The vulnerability exists in the `lap-peserta-perdesa-pdf.php` endpoint, where the `desa` POST parameter fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL code. The issue was disclosed with a time-based blind SQL injection proof-of-concept, enabling attackers to infer and extract sensitive database information through crafted requests. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements in SQL Command). The NVD entry shows a deferred status as of the May 29, 2026 modification timestamp. Multiple source references including VulnCheck and Exploit-DB provide technical details, though no known exploitation in ransomware campaigns has been documented.
- Vendor
- Sitejo
- Product
- HaPe PKH
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running HaPe PKH 1.1 for program management, particularly those handling sensitive participant data. Security teams monitoring for SQL injection attacks in legacy PHP applications. Developers maintaining or forked versions of the HaPe PKH SourceForge project.
Technical summary
The vulnerability resides in HaPe PKH 1.1, specifically in the lap-peserta-perdesa-pdf.php endpoint. The desa POST parameter accepts unsanitized user input that is directly concatenated into SQL queries. Attackers can exploit this via time-based blind SQL injection techniques, sending crafted payloads that cause measurable delays in database response times to infer data. The attack requires no authentication and can be executed remotely over the network. The CVSS 4.0 score of 8.8 reflects high confidentiality impact with network accessibility and low attack complexity.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the desa parameter in lap-peserta-perdesa-pdf.php
- Implement prepared statements for all database interactions in the application
- Deploy web application firewall rules to detect and block SQL injection attempts against the identified endpoint
- Remove or restrict access to lap-peserta-perdesa-pdf.php if the functionality is not required
- Review application logs for historical exploitation attempts using time-based blind SQL injection patterns
- Upgrade to a patched version of HaPe PKH if available from the vendor or SourceForge project
- Conduct code review of all PHP endpoints for similar SQL injection vulnerabilities
Evidence notes
Source references include the vendor site (sitejo.id), SourceForge download location for HaPe PKH, Exploit-DB entry 45588, and VulnCheck advisory. CVSS 4.0 vector provided in NVD metadata. CWE-89 classification confirmed via weakness data.
Official resources
The vulnerability was disclosed via coordinated disclosure through VulnCheck, with technical details published to Exploit-DB and the VulnCheck advisory database. The disclosure includes identification of the vulnerable parameter and attack