Description
Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized admin access via SQL injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an SQL injection flaw in the admin login function that allows an attacker to supply malicious SQL through the username field in a POST request. This flaw lets unauthenticated users bypass authentication, read sensitive database data, and obtain administrative privileges. The weakness is a classic input validation error identified as CWE-89.

Affected Systems

The affected system is the Wecodex Hotel CMS, version 1.0, sold and maintained by Wecodex. Users running this exact version are exposed.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is classified as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, the attack vector is a standard web-based POST request to index.php?action=processlogin, meaning any host with the vulnerable CMS exposed to the internet could be targeted by automated scripts that insert SQL payloads into the username field.

Generated by OpenCVE AI on March 28, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor provided patch or upgrade to a version of Wecodex Hotel CMS that eliminates the SQL injection flaw.
  • Configure a web application firewall or intrusion detection system to block or alert on suspicious SQL patterns in login requests.
  • If a patch is not yet available, consider disabling the admin login interface or requiring additional authentication factors for access.
  • Monitor web server logs for repeated failed login attempts containing SQL keywords and investigate any incidents promptly.
  • Contact Wecodex for an official fix and update the system as soon as the patch is released.

Generated by OpenCVE AI on March 28, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex hotel Cms
CPEs cpe:2.3:a:wecodex:hotel_cms:1.0:*:*:*:*:*:*:*
Vendors & Products Wecodex hotel Cms
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex wecodex Hotel Cms
Vendors & Products Wecodex
Wecodex wecodex Hotel Cms

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.
Title Wecodex Hotel CMS 1.0 SQL Injection via Admin Login
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wecodex Hotel Cms Wecodex Hotel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-28T02:14:12.286Z

Reserved: 2026-03-06T12:00:30.883Z

Link: CVE-2018-25195

cve-icon Vulnrichment

Updated: 2026-03-28T02:14:07.340Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:04.467

Modified: 2026-03-27T21:00:18.543

Link: CVE-2018-25195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:27:57Z

Weaknesses