CVE-2018-17843
Description
SQL injection exists in ADD Clicking MLM Software 1.0, Binary MLM Software 1.0, Level MLM Software 1.0, Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Investment MLM Software 1.0, Bidding MLM Software 1.0, Moneyorder MLM Software 1.0, Repurchase MLM Software 1.0, and Gift MLM Software 1.0 via the member/readmsg.php msg_id parameter, the member/tree.php pid parameter, or the member/downline.php m_id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in multiple MLM Software packages allows remote unauthenticated attackers to extract database information via crafted parameters.
Vulnerability
A SQL injection vulnerability exists in ADD Clicking MLM Software 1.0, Binary MLM Software 1.0, Level MLM Software 1.0, Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Investment MLM Software 1.0, Bidding MLM Software 1.0, Moneyorder MLM Software 1.0, Repurchase MLM Software 1.0, and Gift MLM Software 1.0. The flaw is present in the member/readmsg.php, member/tree.php, and member/downline.php scripts, where the msg_id, pid, and m_id parameters are not properly sanitized before being used in database queries [1].
Exploitation
An attacker can exploit this vulnerability by sending HTTP GET requests to any of the affected scripts with a malicious SQL payload in the vulnerable parameter. No authentication is required. The exploit-db entry demonstrates a proof-of-concept for the msg_id parameter in member/readmsg.php using a UNION-based SQL injection [1]. The same method can be applied to the other parameters.
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials, personal data, and application configuration. The injection can also potentially be used to modify or delete data, leading to broader compromise of the application and its users.
Mitigation
As of the publication date, no official patch or update has been released by the vendor. Users are advised to apply input validation and parameterized queries to mitigate the issue. Given that the software appears to be outdated and may not be actively maintained, migration to a supported alternative is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- ADD Clicking/MLM Softwaredescription
- Range: 1.0
- Range: 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `msg_id`, `pid`, and `m_id` parameters allows direct SQL injection into database queries."
Attack vector
An unauthenticated attacker can append SQL injection payloads to the `msg_id` parameter in a GET request to `/member/readmsg.php`. The exploit sends a URL-encoded UNION SELECT statement that extracts database metadata such as the current database user, database name, and version [ref_id=1]. No authentication or special privileges are required; the only precondition is network access to the vulnerable application.
Affected code
The vulnerability is in the `member/readmsg.php` script, where the `msg_id` parameter is passed unsanitized into a SQL query. The same class of flaw also exists in `member/tree.php` (via the `pid` parameter) and `member/downline.php` (via the `m_id` parameter) across all ten MLM software variants [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation commit. To close the vulnerability, the application must use parameterized queries (prepared statements) or properly escape the `msg_id`, `pid`, and `m_id` parameters before including them in SQL statements [ref_id=1].
Preconditions
- networkNetwork access to the vulnerable MLM application
- authNo authentication required
Reproduction
1. Navigate to `http://[TARGET]/[PATH]/member/readmsg.php?msg_id=-test5' UNION(SELECT(1),(2),(3),(4),(5),(6),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(8),(9),(10),(11),(12),(13),(14),(15))-- -` [ref_id=1]. 2. The response will display the database user, database name, and MySQL version injected into the output.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/author/mitrex_refsource_MISC
- www.exploit-db.com/exploits/45511mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.