CVE-2018-25340

Vulnerability

Smartshop version 1 (as hosted on GitHub) is vulnerable to SQL injection in multiple endpoints. The category.php script directly uses the id GET parameter in a SQL query without sanitization: $id_category =$_GET['id']; and then $queryproduct = "SELECT ... WHERE id_category = '{$id_category}' ...". This allows an attacker to inject arbitrary SQL. The same issue exists in product.php (id parameter) and search.php (searched parameter) [1][2]. The software is a free e-commerce starter template [3].

Exploitation

An unauthenticated attacker can send a GET request to category.php with a UNION-based payload in the id parameter, e.g., ' UNION SELECT 1,user(),3,4,5%23. This exploits the lack of input validation and parameterized queries. No authentication or special privileges are required; the attacker only needs network access to the web server [1][2]. The exploit is publicly available on Exploit-DB [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to disclosure of sensitive database contents such as usernames, passwords (if stored in plaintext or hashed), and other application data. The CVSS v3 score is 8.2 (High) with high confidentiality impact [2]. The attacker can also potentially modify data via UPDATE/INSERT queries, though the primary risk is information disclosure.

Mitigation

As of the available references, no official patch has been released. The vendor's GitHub repository (Smartshop) appears unmaintained; the last commit was in 2017 [3]. Users should migrate to a supported e-commerce platform or manually implement prepared statements/parameterized queries for all user-supplied input. The vulnerability is listed in the Exploit-DB archive [1] and tracked by VulnCheck [2]. No KEV listing is mentioned.