CVE-2018-25188
Description
Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract sensitive database information including usernames, databases, and version details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Webiness Inventory 2.3 has an unauthenticated SQL injection in the order parameter of WsModelGrid.php, letting attackers extract sensitive data.
Root
Cause Webiness Inventory 2.3 is vulnerable to SQL injection in the order parameter of the WsModelGrid.php endpoint. The application fails to properly sanitize user input, allowing an attacker to inject arbitrary SQL code into database queries [1].
Exploitation
An unauthenticated attacker can send a crafted POST request to protected/library/ajax/WsModelGrid.php with a malicious order parameter. No authentication is required, making the attack surface broad [1]. The proof-of-concept payload demonstrates extracting the current database user, database name, and MySQL version via USER(), DATABASE(), and VERSION() functions, using CONCAT_WS and subqueries [1].
Impact
Successful exploitation allows an attacker to extract sensitive information such as usernames, database names, and version details. This can lead to further compromise of the compromise of other accounts or further attacks against the database [1]. The CVSS v3 score of 8.2 (High) reflects the ease of exploitation and the potential for data exposure.
Mitigation
The vendor has not released an official patch; the software appears to be no longer maintained. Administrators should consider removing or restricting access to the vulnerable endpoint, or migrating to an alternative inventory solution [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
50- Typosquatting Is No Longer a User Problem. It's a Supply Chain ProblemThe Hacker News · May 20, 2026
- Real-World ICS Security Tales From the TrenchesSecurityWeek · May 20, 2026
- Encryption Consulting launches CertSecure Manager v3.3 with zero-touch certificate renewalsHelp Net Security · May 20, 2026
- New CEO Joe Diamond Pushes Axonius Beyond Asset ManagementGovInfoSecurity · May 19, 2026
- What Will Make AI BOMs Real?Dark Reading · May 19, 2026
- Turn Blind Trust into Verified Control with Prompt Security for Agentic AISentinelOne Labs · May 19, 2026
- Looking Back, Looking Forward: Digesting a Dynamic Bouillabaisse of Cyber EvolutionDark Reading · May 19, 2026
- B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit CardsSecurityWeek · May 19, 2026
- The New Phishing Click: How OAuth Consent Bypasses MFAThe Hacker News · May 19, 2026
- TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)SANS Internet Storm Center · May 18, 2026
- 5 Steps to Managing Shadow AI Tools Without Slowing Down EmployeesBleepingComputer · May 18, 2026
- Agentic Governance: Why It Matters NowTrend Micro Research · May 18, 2026
- New infosec products of the week: May 15, 2026Help Net Security · May 15, 2026
- Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assetsTenable Blog · May 14, 2026
- G7 Countries Release AI SBOM GuidanceSecurityWeek · May 14, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- Securing data centers in the agentic AI eraTenable Blog · May 13, 2026
- The hidden risk of non-human identities in AI adoptionHelp Net Security · May 13, 2026
- Patch Tuesday, May 2026 EditionKrebs on Security · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- The hidden smart fridge risks that emerge years after purchaseHelp Net Security · May 12, 2026
- Flash Alert: EtherRat and TukTuk C2 End in The Gentleman RansomwareTheDFIRReport · May 11, 2026
- Alation AI Governance creates a system of record for AI oversightHelp Net Security · May 11, 2026
- SailPoint Agentic Fabric expands identity governance to autonomous AI agentsHelp Net Security · May 11, 2026
- The State of Ransomware – Q1 2026Check Point Research · May 11, 2026
- Why the approaching flood of vulnerabilities changes everything — and what to do about itTenable Blog · May 8, 2026
- Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at ScaleRapid7 Blog · May 7, 2026
- Day Zero Readiness: The Operational Gaps That Break Incident ResponseThe Hacker News · May 7, 2026
- Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?The Hacker News · May 6, 2026
- ServiceNow strengthens enterprise AI security with Autonomous Security & Risk platformHelp Net Security · May 6, 2026
- Shadow IT has given way to shadow AI. Enter AI-BOMsThe Register Security · May 4, 2026
- Penske Logistics launches platform for real-time supply chain visibilityHelp Net Security · May 4, 2026
- How Dark Reading Lifted Off the Launchpad in 2006Dark Reading · May 4, 2026
- The 2026 World Cup scam economy is already running before the first whistleMalwarebytes Labs · May 4, 2026
- Vulnerability remediation: Match CVEs to asset owners in seconds with Tenable Hexa AITenable Blog · May 1, 2026
- Hackers stole hundreds of thousands of Roblox accounts: Here’s what to doMalwarebytes Labs · Apr 30, 2026
- What Happens in the First 24 Hours After a New Asset Goes LiveBleepingComputer · Apr 30, 2026
- Mastering agentic AI security through exposure managementTenable Blog · Apr 29, 2026
- After Mythos: New Playbooks For a Zero-Window EraThe Hacker News · Apr 28, 2026
- As the NVD scales back CVE enrichment, here’s what Tenable customers need to knowTenable Blog · Apr 27, 2026
- Glasswing Secured the Code. The Rest of Your Stack Is Still on YouDark Reading · Apr 24, 2026
- Five steps to become Mythos readyTenable Blog · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- AI is Changing Vulnerability Discovery and your Software Supply Chain Strategy has to Change with itRapid7 Blog · Apr 23, 2026
- ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New StoriesThe Hacker News · Apr 23, 2026
- HostArmada Adds Patchstack to Its Security StackPatchstack Blog · Apr 21, 2026
- Vercel Confirms Cyber Incident After Sophisticated Attacker Exploits Third‑Party ToolInfosecurity Magazine · Apr 21, 2026
- The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment VariablesTrend Micro Research · Apr 20, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than EverMandiant Threat Intelligence · Apr 16, 2026