Description
mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query techniques in the product URI parameter to extract sensitive database information.
Published: 2026-05-25
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a blind SQL injection in moosocial Store Plugin 2.6 that is triggered by the product parameter through URL rewriting. Attackers can supply boolean‑based, time‑based or stacked query payloads to the product URI and progressively reveal database contents without needing an error response. This permits the unauthorized extraction of sensitive data, compromising the confidentiality and integrity of the stored information.

Affected Systems

Moosocial’s moosocial Store Plugin, version 2.6, which is the only version explicitly affected by the listed vulnerability. No other versions are mentioned in the CNA data.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity vulnerability, and the lack of a publicly documented exploit or KEV listing suggests that no widespread exploitation is presently known. However, the EPSS score is not available, which does not diminish the likelihood of targeted attacks given the unauthenticated nature of the flaw. The likely attack vector is an unauthenticated HTTP request to a publicly reachable URL that includes a malformed product parameter; this can be performed remotely over the network without prior access or credentials.

Generated by OpenCVE AI on May 25, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade the plugin to a fixed version as soon as possible.
  • If an immediate patch is unavailable, restrict the product parameter to authenticated or privileged users only, limiting exposure to the public internet.
  • Sanitize all input values by using parameterized queries or bound statements rather than string concatenation; if the plugin code cannot be modified, deploy a Web Application Firewall that blocks common SQL injection payloads.
  • Monitor application logs for signs of injection attempts, such as unusual SQL error messages or repeated failed queries, and investigate any anomalies promptly.

Generated by OpenCVE AI on May 25, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query techniques in the product URI parameter to extract sensitive database information.
Title mooSocial Store Plugin 2.6 SQL Injection via product parameter
First Time appeared Moosocial
Moosocial moosocial
Weaknesses CWE-89
CPEs cpe:2.3:a:moosocial:moosocial:2.6:*:*:*:*:*:*:*
Vendors & Products Moosocial
Moosocial moosocial
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Moosocial Moosocial
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:16.479Z

Reserved: 2026-05-25T13:46:29.723Z

Link: CVE-2018-25371

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:30:06Z

Weaknesses