Medium severity6.3NVD Advisory· Published Apr 27, 2026· Updated Apr 29, 2026

CVE-2026-7143

Description

A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in 1000 Projects Portfolio Management System MCA 1.0 via base64-encoded parameter in block_status.php allows remote account status modification.

The vulnerability exists in /admin/block_status.php and /admin/unblock_me.php of the 1000 Projects Portfolio Management System MCA version 1.0. The q parameter is base64-decoded and directly concatenated into an SQL UPDATE statement without sanitization or parameterization, leading to SQL injection [2].

An attacker can exploit this by crafting a malicious base64-encoded string in the q parameter. The attack is remotely exploitable and, while an admin session is normally required, the reference notes that authentication can be bypassed [2]. Public exploit code is available, increasing the risk of widespread attacks.

Successful exploitation allows an attacker to arbitrarily block or unblock any user account by modifying the block_status column in the reg_details table. This can lead to denial of service for legitimate users or unauthorized elevation of privileges if admins are blocked [2].

No official patch has been released as of the publication date. The vendor has not responded to the disclosure. Mitigation requires implementing prepared statements or input validation. Given the availability of public exploit code, this vulnerability may be added to CISA's Known Exploited Vulnerabilities (KEV) catalog in the future.

References

CVE Report: 1000project User Block/Unblock SQL Injection

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1000 Projects/Portfolio Management System MCAllm-create
Range: <=1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-7143

Credits

9(
9str0il (VulDB User)
reporter