Description
Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Leakage
Action: Immediate Patch
AI Analysis

Impact

Wecodex Restaurant CMS version 1.0 contains a flaw where the username input in the login page is used directly in a MySQL query without sanitization, creating a classic SQL injection vulnerability. An unauthenticated attacker can send crafted POST requests to the login endpoint and extract arbitrary data from the database, including business-sensitive information. The primary consequence is the disclosure of confidential data, compromising the privacy of the system’s information.

Affected Systems

The vulnerable product is Wecodex Restaurant CMS version 1.0. No newer versions are documented in the supplied data, so all installations of this release are potentially affected.

Risk and Exploitability

The vulnerability has a CVSS base score of 8.8, indicating high severity. The EPSS score is less than 1 %, and it is not listed in the CISA KEV catalogue. The advisory explicitly states that the flaw can be exploited remotely by sending crafted POST requests to the public login endpoint; no special privileges or additional conditions are required beyond internet access to the affected server.

Generated by OpenCVE AI on March 26, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-provided patch or upgrade to a newer version of Wecodex Restaurant CMS when available.
  • If no patch is provided, limit exposure by restricting access to the login page using firewall rules or IP whitelisting.
  • Deploy a web application firewall to detect and block typical SQL injection payloads.
  • Review and refactor the application’s login code to enforce strict input validation and use parameterized queries or prepared statements to eliminate unsanitized user input.

Generated by OpenCVE AI on March 26, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex wecodex Restaurant Cms
Vendors & Products Wecodex
Wecodex wecodex Restaurant Cms

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.
Title Wecodex Restaurant CMS 1.0 SQL Injection via Login
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wecodex Wecodex Restaurant Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T13:38:07.688Z

Reserved: 2026-03-06T11:54:43.500Z

Link: CVE-2018-25185

cve-icon Vulnrichment

Updated: 2026-03-26T13:38:03.575Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T12:16:04.270

Modified: 2026-03-26T15:13:15.790

Link: CVE-2018-25185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:44Z

Weaknesses