CVE-2018-25182 in Silurus Classifieds Script
Summary
by MITRE • 03/06/2026
Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to extract database table names and sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2018-25182 affects Silurus Classifieds Script version 2.0, representing a critical SQL injection flaw that undermines the application's database security mechanisms. This vulnerability resides within the wcategory.php script where the ID parameter fails to properly sanitize user input, creating an exploitable entry point for malicious actors. The flaw allows unauthenticated attackers to inject arbitrary SQL commands directly into the database query execution flow, bypassing normal authentication and authorization controls that should protect database access.
The technical implementation of this vulnerability stems from improper input validation and parameter handling within the application's backend processing logic. When the ID parameter is passed to wcategory.php without adequate sanitization or parameterized query construction, the malicious SQL payload gets directly concatenated into the database query string. This design flaw aligns with CWE-89, which categorizes SQL injection vulnerabilities as weaknesses in software that allows attackers to manipulate database queries through untrusted input. The vulnerability's exploitation requires only basic HTTP GET requests, making it particularly dangerous as it can be executed through simple web browser interactions or automated tools.
The operational impact of this vulnerability extends beyond simple data exfiltration, as attackers can leverage the SQL injection to perform comprehensive database reconnaissance and potentially escalate their privileges. Through careful crafting of SQL payloads, malicious actors can extract table schemas, user credentials, session information, and other sensitive database contents. The vulnerability enables attackers to execute data manipulation operations including SELECT statements to retrieve information, INSERT operations to add malicious entries, UPDATE commands to modify existing data, and DELETE operations to remove critical information. This comprehensive access capability represents a severe threat to the application's integrity and confidentiality, potentially leading to complete system compromise and data breaches.
Security professionals should consider this vulnerability in the context of ATT&CK framework's T1071.004 technique, which covers application layer protocol manipulation, and T1213.002 for data from information repositories. The attack surface for this vulnerability includes not only the direct database access but also potential chain reactions that could lead to further system compromise through credential theft or privilege escalation. Organizations should implement immediate mitigations including input validation, parameterized queries, and web application firewalls to prevent exploitation. The vulnerability demonstrates the critical importance of proper input sanitization and the principle of least privilege in database access controls, as recommended by industry security standards and best practices for web application security.