Description
Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.
Published: 2026-03-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted SQL injection allowing data extraction and denial of service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection (CWE‑89) that permits attackers to inject arbitrary SQL code through the GET parameter 'u_id' on /admin/users.php and the POST parameter 'agent[]' on /admin/mailer.php. It enables unauthenticated users to perform time‑based blind SQL injections to read sensitive data or use sleep payloads to disrupt service. The impact includes data confidentiality breach, integrity violation, and availability degradation for affected systems.

Affected Systems

Affected product is Next Click Ventures RealtyScript version 4.0.2 (cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*). No other versions or products are listed as affected in the data provided.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity. The EPSS score of less than 1% suggests low current exploitation probability, but the vulnerability is not mitigated in the CISA KEV catalog. Attackers need only send crafted HTTP requests to the vulnerable endpoints; no authentication is required. If exploited, an attacker can exfiltrate data or cause denial of service via time‑based techniques.

Generated by OpenCVE AI on March 18, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of RealtyScript or apply the vendor‑issued patch if available.
  • If upgrading is not immediately possible, proactively disable or restrict access to /admin/users.php and /admin/mailer.php or enforce strict access controls.
  • Deploy a Web Application Firewall to detect and block SQL injection payloads targeting the vulnerable parameters.
  • Monitor web server logs for unusual patterns such as repeated 'sleep(' or 'waitfor' statements and investigate promptly.
  • Verify with Next Click Ventures support or the vendor website for any available security updates or advisories.

Generated by OpenCVE AI on March 18, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Nextclickventures
Nextclickventures realtyscript
CPEs cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*
Vendors & Products Nextclickventures
Nextclickventures realtyscript

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Next Click Ventures
Next Click Ventures realtyscripts
Vendors & Products Next Click Ventures
Next Click Ventures realtyscripts

Sun, 15 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.
Title RealtyScript 4.0.2 SQL Injection via u_id and agent Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Next Click Ventures Realtyscripts
Nextclickventures Realtyscript
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:30:30.626Z

Reserved: 2026-03-15T18:08:31.779Z

Link: CVE-2015-20121

cve-icon Vulnrichment

Updated: 2026-03-16T14:21:07.849Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:48.160

Modified: 2026-03-18T15:24:32.517

Link: CVE-2015-20121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:26Z

Weaknesses