{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25206", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:33:29.009Z", "datePublished": "2026-03-26T11:39:53.286Z", "dateUpdated": "2026-03-28T02:15:20.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:53.286Z"}, "datePublic": "2018-05-25T00:00:00.000Z", "title": "KomSeo Cart 1.3 SQL Injection via edit.php", "descriptions": [{"lang": "en", "value": "KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Attackers can submit POST requests with malicious SQL payloads to extract sensitive database information using boolean-based blind or error-based injection techniques."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Sitemakin", "product": "KomSeo Cart", "versions": [{"version": "1.3", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/44753", "name": "ExploitDB-44753", "tags": ["exploit"]}, {"url": "https://sitemakin.com", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: KomSeo Cart 1.3 SQL Injection via edit.php", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/komseo-cart-sql-injection-via-edit-php"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T02:15:08.746509Z", "id": "CVE-2018-25206", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:15:20.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25206", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-28T02:15:08.746509Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:15:15.302Z"}}], "cna": {"title": "KomSeo Cart 1.3 SQL Injection via edit.php", "credits": [{"lang": "en", "type": "finder", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Sitemakin", "product": "KomSeo Cart", "versions": [{"status": "affected", "version": "1.3"}]}], "datePublic": "2018-05-25T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/44753", "name": "ExploitDB-44753", "tags": ["exploit"]}, {"url": "https://sitemakin.com", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/komseo-cart-sql-injection-via-edit-php", "name": "VulnCheck Advisory: KomSeo Cart 1.3 SQL Injection via edit.php", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Attackers can submit POST requests with malicious SQL payloads to extract sensitive database information using boolean-based blind or error-based injection techniques."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:53.286Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25206", "state": "PUBLISHED", "dateUpdated": "2026-03-28T02:15:20.514Z", "dateReserved": "2026-03-26T11:33:29.009Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-26T11:39:53.286Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Attackers can submit POST requests with malicious SQL payloads to extract sensitive database information using boolean-based blind or error-based injection techniques."}, {"lang": "es", "value": "KomSeo Cart 1.3 contiene una vulnerabilidad de inyecci\u00f3n SQL que permite a los atacantes inyectar comandos SQL a trav\u00e9s del par\u00e1metro 'my_item_search' en edit.php. Los atacantes pueden enviar solicitudes POST con cargas \u00fatiles SQL maliciosas para extraer informaci\u00f3n sensible de la base de datos utilizando t\u00e9cnicas de inyecci\u00f3n ciega basada en booleanos o basada en errores."}], "id": "CVE-2018-25206", "lastModified": "2026-05-01T15:23:27.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:05.650", "references": [{"source": "disclosure@vulncheck.com", "url": "https://sitemakin.com"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/44753"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/komseo-cart-sql-injection-via-edit-php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KomSeo Cart", "source": "cna", "vendor": "Sitemakin"}, "product": "komseo_cart", "vendor": "sitemakin"}], "analysis": {"en": {"generated_at": "2026-03-26T14:08:52.761314+00:00", "value": {"mitigation_remediation": ["Apply the official patch or upgrade to a non\u2011vulnerable version of KomSeo Cart released by Sitemakin.", "If a patch is unavailable, block or restrict access to edit.php or the my_item_search parameter using a web\u2011application firewall or server configuration.", "Ensure the database account used by KomSeo Cart has the least privilege necessary\u2014limit it to the permissions required for normal operation.", "Implement input validation and use parameterized queries or prepared statements for the my_item_search field to mitigate injection until an official fix is applied."], "summary": {"action": "Patch", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects the Sitemakin KomSeo Cart application version 1.3. The CNA data does not list any other affected versions, so the scope is limited to this release. No other products or vendors are identified.", "description_and_impact": "KomSeo Cart 1.3 contains a classic SQL injection vulnerability that allows attackers to inject arbitrary SQL through the my_item_search parameter in edit.php. By submitting crafted POST requests, an adversary can employ boolean\u2011based blind or error\u2011based techniques to extract sensitive data from the database. This results in a breach of confidentiality, as the attacker may read private information stored in the database. The weakness corresponds to CWE\u201189, which represents unvalidated input that leads to SQL injection.", "risk_and_exploitability": "The base CVSS score of 8.8 indicates high severity. The EPSS score of less than 1\u202f that, at the time of assessment, the probability of exploitation is low, although the vulnerability is publicly known. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, meaning there is no confirmed active exploitation in the wild. The attack vector is most likely remote over the network: an attacker who can reach the exposed web application and submit POST data to edit.php can trigger the injection. No special privileges or pre\u2011existing access are mentioned in the CVE description, so a standard web\u2011app attacker with access to the public interface can attempt exploitation. Successful exploitation would allow the attacker to read sensitive data from the database, potentially including customer information, order details, or other confidential data."}}}}, "created": "2026-03-27T08:36:04.762266+00:00", "updated": "2026-03-27T09:28:42.828827+00:00", "vendors": ["sitemakin", "sitemakin$PRODUCT$komseo_cart"]}