Description
Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via SQL Injection
Action: Patch Now
AI Analysis

Impact

The Shipping System CMS 1.0 contains a classic SQL injection flaw that allows an attacker to inject code into the username field of the admin login form. By crafting boolean‑based blind SQL payloads, the attacker can force the system to authenticate without valid credentials. This critical flaw belongs to the CWE‑89 class and, once exploited, grants the attacker privileged access to the administrative interface, enabling read, modify, or delete operations on the underlying database and compromising the confidentiality, integrity, and availability of the CMS.

Affected Systems

This vulnerability affects the Wecodex Shipping System CMS version 1.0. No other versions have been listed as impacted by the available data.

Risk and Exploitability

The weakness is rated with a CVSS score of 8.8, indicating high severity. The EPSS score of less than 1% suggests that widespread exploitation is unlikely, and the issue is not present in CISA’s KEV list. The attack vector is inferred to be a web‑based SQL injection executed against the admin login endpoint, requiring no prior authentication. If an attacker can reach this endpoint, the boolean-based blind approach can be used to authenticate and then leverage unrestricted administrative privileges.

Generated by OpenCVE AI on March 27, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of Wecodex Shipping System CMS that contains the vendor’s fix for the SQL injection vulnerability.
  • If a patch cannot be applied immediately, restrict access to the admin login endpoint by using a web‑application firewall or limiting traffic to known administrative IP addresses.
  • Regularly monitor authentication logs for failed login attempts and rapid boolean query patterns that may indicate an ongoing injection attempt.

Generated by OpenCVE AI on March 27, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wecodex:shipping_system_cms:1.0:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex shipping System Cms
Vendors & Products Wecodex
Wecodex shipping System Cms

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.
Title Shipping System CMS 1.0 SQL Injection via admin login
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wecodex Shipping System Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T18:44:34.674Z

Reserved: 2026-03-06T11:50:12.378Z

Link: CVE-2018-25183

cve-icon Vulnrichment

Updated: 2026-03-26T18:44:24.225Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:03.197

Modified: 2026-03-27T18:15:27.033

Link: CVE-2018-25183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:16Z

Weaknesses