CVE-2018-25210 HIGH

CVE-2018-25210: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter

Vendor Web-Ofisi

Product Ticaret V4

Weakness CWE-79 · XSS

Published March 26, 2026

Last update March 28, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.

Key dates

02Disclosure timeline

March 26, 2026 CVE published

March 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-25210 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2020-5398 RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application CVE-2023-31228 WordPress CM On Demand Search And Replace Plugin <= 1.3.0 is vulnerable to Cross Site Scripting (XSS) CVE-2025-49037 WordPress Authentication and xmlrpc log writer plugin <= 1.2.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2016-15022 mosbth cimage check_system.php cross site scripting CVE-2025-5754 Useful Tab Block – Responsive & AMP-Compatible <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter