CVE-2025-10967 MEDIUM

CVE-2025-10967: MuFen-mker PHP-Usermm chkuser.php sql injection

Vendor Mufen-Mker
Product PHP-Usermm
Weakness CWE-89 · SQLi
Published September 25, 2025
Last update September 26, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was detected in MuFen-mker PHP-Usermm up to 37f2d24e51b04346dfc565b93fc2fc6b37bdaea9. This affects an unknown part of the file /chkuser.php. Performing manipulation of the argument Username results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 25, 2025 CVE published
September 26, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-21666 SQL Injection in useredit.php CVE-2025-11310 Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 findFileServerPage.do findFileServerPage sql injection CVE-2023-53877 Bus Reservation System 1.1 Multiple SQL Injection via pickup_id Parameter CVE-2025-10730 Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection CVE-2024-8308 Siempelkamp: SQL injection due to improper handling of HTTP request input data