Submit #823145: SourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 SQL Injectioninfo

TitleSourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 SQL Injection
DescriptionThe Water Billing Management System is vulnerable to an Authenticated SQL Injection flaw within the administrative dashboard. An attacker with valid low-level administrative credentials can manipulate the id parameter in the user management module to execute arbitrary SQL commands. This can lead to unauthorized data disclosure, including database versioning, structural information, and sensitive user records. The application fails to properly sanitize or parameterize the id GET parameter in the /wbms/admin/?page=user/manage_user route. The input is passed directly into a SQL query string, allowing for Union-Based SQL Injection. While this requires the attacker to be logged into the admin panel, it represents a significant risk from "insider threats" or compromised sub-admin accounts, as it allows for vertical privilege escalation and full database extraction.
Source⚠️ https://github.com/renzortega1337/Security-Research-/blob/main/Authenticated%20SQL%20Injection%20in%20User%20Management.md
User
 renzortega1337 (UID 98096)
Submission05/08/2026 15:26 (2 months ago)
Moderation05/31/2026 10:24 (23 days later)
StatusAccepted
VulDB entry367516 [SourceCodester Water Billing Management System 1.0 User Management manage_user ID sql injection]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!