CVE-2018-19415
Description
Multiple SQL injection vulnerabilities in Plikli CMS 4.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to join_group.php or (2) comment_id parameter to story.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Plikli CMS 4.0.0 is vulnerable to blind SQL injection via the `id` and `comment_id` parameters, allowing remote unauthenticated attackers to execute arbitrary SQL commands.
Vulnerability
Plikli CMS version 4.0.0 contains blind SQL injection vulnerabilities in two endpoints. The id parameter in join_group.php and the comment_id parameter in story.php are not properly sanitized, allowing an attacker to inject SQL commands via GET requests. [1]
Exploitation
An attacker can exploit these vulnerabilities remotely without authentication by sending crafted HTTP GET requests. For join_group.php, the id parameter is injected with a time-based blind SQL payload (e.g., using SLEEP(25)). Similarly, for story.php, the comment_id parameter is injected. The advisory demonstrates the attack patterns. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the database, potentially leading to data exfiltration, modification, or denial of service. The blind SQL injection can be used to extract sensitive information from the database. [1]
Mitigation
The vendor fixed the issue on 3 August 2018, as per the advisory timeline. Users should upgrade to a patched version of Plikli CMS. No workarounds are provided. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 4.0.0+ 1 more
- (no CPE)range: = 4.0.0
- (no CPE)range: = 4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- seclists.org/fulldisclosure/2018/Dec/8mitremailing-listx_refsource_FULLDISC
- www.netsparker.com/web-applications-advisories/ns-18-031-blind-sql-injection-in-plikli/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.