VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25382

CVE-2018-25382

Description

Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Attackers can send crafted requests to profile.php with UNION-based SQL injection payloads to retrieve table names, column names, and sensitive data from the information_schema database.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Zechat 1.5 is vulnerable to unauthenticated SQL injection via the uname parameter in profile.php, allowing attackers to extract database contents.

Vulnerability

Zechat 1.5 (vendor Bylancer) contains a SQL injection vulnerability in the profile.php script. The uname GET parameter is not sanitized before being used in a database query, allowing an attacker to inject arbitrary SQL. The vulnerability is present in version 1.5 and possibly earlier versions. [1][2][3]

Exploitation

An unauthenticated attacker can send a crafted HTTP GET request to profile.php with a malicious uname parameter. The provided exploit uses a UNION-based SQL injection payload to extract data from the information_schema database. No authentication or special privileges are required. The attack is straightforward and can be performed remotely. [2]

Impact

Successful exploitation allows an attacker to retrieve sensitive database information, including table names, column names, and user data. This can lead to disclosure of credentials, personal information, or other confidential data stored in the database. The impact is high due to the potential for data exfiltration. [2][3]

Mitigation

As of the available references, no official patch has been released. The vendor (Bylancer) has not provided a fixed version. Users should consider upgrading to a newer version if available, or implement input validation and parameterized queries to prevent SQL injection. The vulnerability is listed in the Exploit Database (EDB-ID 45523) but not in the CISA KEV. [2][3]

References
  1. Buy Premium PHP Scripts | WordPress plugins, Themes & Website Templates | Bylancer | Bylancer
  2. OffSec’s Exploit Database Archive
  3. Zechat 1.5 SQL Injection via uname Parameter

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.