CVE-2018-25422

Vulnerability

MOGG web simulator Script (all versions) contains an SQL injection vulnerability in play.php. The id parameter is not properly sanitized before being used in SQL queries, allowing unauthenticated attackers to inject arbitrary SQL commands. Affected versions include all releases up to and including the latest, with no version-specific fix indicated. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to play.php with malicious SQL payloads injected into the id parameter. No authentication is required, and the attack can be performed remotely over the network. The attacker only needs to be able to reach the web server hosting the vulnerable application. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to the extraction of sensitive information from the database, such as usernames and other data. The impact primarily affects data confidentiality (high), with limited integrity impact (low) via potential data modification. [1]

Mitigation

As of the publication date (2026-05-30), no fixed version has been released by the vendor. The application appears to be unmaintained; the GitHub repository [2] does not indicate recent patches. Mitigation may include input validation on the id parameter or use of parameterized queries in play.php. Administrators should consider restricting access to play.php via .htaccess or similar mechanisms until a patch is available. The vulnerability is currently listed in advisories but is not part of the CISA KEV catalog. [1][2]