What is the CVSS score of CVE-2015-20121?

CVE-2015-20121 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2015-20121?

RealtyScript 4.0.2 contains critical SQL injection vulnerabilities in administrative functions that allow unauthenticated attackers to access or manipulate sensitive database records without…

Is there a public PoC exploit available for CVE-2015-20121?

Yes, a public proof-of-concept exploit is available for CVE-2015-20121. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2015-20121?

Within 24 hours: Isolate affected RealtyScript instances from production or restrict network access to /admin/ paths; audit access logs for exploitation attempts. Within 7 days: Deploy WAF rules to block SQL injection patterns in 'u_id' and 'agent[]' parameters; implement input validation and parameterized queries through custom code patching if vendor patch unavailable. Within 30 days: Complete migration to patched version when available; conduct forensic review of database logs for unauthorized access; notify affected customers if data exposure is confirmed.

PHP CVE-2015-20121

EUVD-2015-9423 HIGH

SQL Injection (CWE-89)

2026-03-15 VulnCheck

Denial Of Service SQLi PHP Realtyscripts

8.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Mar 18, 2026 - 15:24 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 20:00 euvd

EUVD-2015-9423

Analysis Generated

Mar 15, 2026 - 20:00 vuln.today

CVE Published

Mar 15, 2026 - 18:34 nvd

HIGH 8.2

DescriptionCVE.org

Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.

AnalysisAI

SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.

Technical ContextAI

RealtyScript (CPE: cpe:2.3:a:next_click_ventures:realtyscripts:*:*:*:*:*:*:*:*) is a PHP-based real estate listing management system. The vulnerability stems from improper input validation (CWE-89: SQL Injection) where user-supplied data in the 'u_id' GET parameter and 'agent[]' POST parameter is directly concatenated into SQL queries without sanitization. This allows injection of arbitrary SQL commands, including time-based payloads using SLEEP() functions for blind extraction of data.

RemediationAI

No patch information is available in the provided references. Given the 2015 disclosure date and apparent lack of vendor response, organizations should consider RealtyScript 4.0.2 as end-of-life. Recommended mitigations include: 1) Migrate to a supported real estate management system, 2) If migration is not immediately possible, implement web application firewall rules to filter SQL injection attempts, 3) Restrict access to /admin/ directories through IP whitelisting or additional authentication layers, 4) Apply input validation and parameterized queries if source code modification is possible.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2015-20121 vulnerability details – vuln.today

Back

PHP CVE-2015-20121

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code