Description
Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch ASAP
AI Analysis

Impact

A false username field in the admin login form of Shipping System CMS 1.0 permits a malicious user to inject SQL code that bypasses authentication. By submitting carefully crafted boolean‑based blind SQL statements in the POST payload, an attacker can cause the authentication logic to succeed without valid credentials, effectively gaining administrative access. The weakness originates from insufficient input sanitization and is identified as CWE‑89, a classic SQL injection vulnerability.

Affected Systems

The vulnerability affects the Shipping System CMS version 1.0, developed by Wecodex. No other affected versions are listed. Only this product version should be checked for remediation.

Risk and Exploitability

The CVSS score of 8.8 signals high severity and indicates that an unauthenticated attacker could cause a full compromise of the system. EPSS data is unavailable, so the exploitation probability is uncertain, but the lack of a KEV listing does not negate the risk. Attackers would need only access to the web application to deliver the injection payload to the admin login endpoint, making exploitation trivial for anyone with network visibility.

Generated by OpenCVE AI on March 26, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch for Shipping System CMS 1.0 that mitigates the SQL injection in the admin login.
  • If a patch is not yet available, restrict administrative access by IP whitelisting or VPN only.
  • Implement a web application firewall with SQL injection detection rules to block malicious payloads.
  • Consider upgrading to a newer, supported version of the CMS when one becomes available.

Generated by OpenCVE AI on March 26, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wecodex:shipping_system_cms:1.0:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex shipping System Cms
Vendors & Products Wecodex
Wecodex shipping System Cms

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.
Title Shipping System CMS 1.0 SQL Injection via admin login
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wecodex Shipping System Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T18:44:34.674Z

Reserved: 2026-03-06T11:50:12.378Z

Link: CVE-2018-25183

cve-icon Vulnrichment

Updated: 2026-03-26T18:44:24.225Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:03.197

Modified: 2026-03-27T18:15:27.033

Link: CVE-2018-25183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:12Z

Weaknesses