Description
A vulnerability was determined in KLiK SocialMediaWebsite up to 1.0.1. This vulnerability affects unknown code of the file /includes/get_message_ajax.php of the component Private Message Handler. Executing a manipulation of the argument c_id can lead to sql injection. It is possible to launch the attack remotely.
Published: 2026-04-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Now
AI Analysis

Impact

A flaw in the Private Message Handler of KLiK SocialMediaWebsite allows the manipulation of the c_id argument within the get_message_ajax.php script to inject arbitrary SQL statements. Exploiting this vulnerability can enable an attacker to read, modify, or delete sensitive data stored in the database, undermining data confidentiality and integrity. The impact is confined to database operations and does not directly grant code execution or system control.

Affected Systems

KLiK SocialMediaWebsite versions up to and including 1.0.1 are affected. The vulnerability resides in the Private Message Handler component, specifically the /includes/get_message_ajax.php file. Systems running these versions should be considered at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. According to the description, the attack can be performed remotely by sending a crafted request that alters the c_id parameter; no additional authentication or local privilege is required beyond a valid Network access to the web application.

Generated by OpenCVE AI on April 28, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to a fixed version of KLiK SocialMediaWebsite (e.g., 1.0.2 or later).
  • Modify the get_message_ajax.php script to use prepared statements or properly escape the c_id parameter to prevent SQL injection.
  • Configure the application to run database queries with a user that has only read access, and restrict write operations for private message data.

Generated by OpenCVE AI on April 28, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Klik
Klik socialmediawebsite
Vendors & Products Klik
Klik socialmediawebsite

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in KLiK SocialMediaWebsite up to 1.0.1. This vulnerability affects unknown code of the file /includes/get_message_ajax.php of the component Private Message Handler. Executing a manipulation of the argument c_id can lead to sql injection. It is possible to launch the attack remotely.
Title KLiK SocialMediaWebsite Private Message get_message_ajax.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Klik Socialmediawebsite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:33:56.667Z

Reserved: 2026-04-24T20:21:58.217Z

Link: CVE-2026-7002

cve-icon Vulnrichment

Updated: 2026-04-27T13:20:26.702Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T22:16:19.833

Modified: 2026-04-27T18:46:41.563

Link: CVE-2026-7002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses