Which versions of PHP are affected by CVE-2018-25161?

The Warranty Tracking System contains a critical SQL injection vulnerability that could allow attackers to compromise customer data, manipulate warranty records, and potentially gain unauthorized…

Is there a public PoC exploit available for CVE-2018-25161?

Yes, a public proof-of-concept exploit is available for CVE-2018-25161. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2018-25161?

Within 24 hours: isolate the affected Warranty Tracking System from production networks if possible, or restrict access to trusted users only and enable enhanced logging. Within 7 days: deploy Web Application Firewall (WAF) rules to block SQL injection patterns on SearchCustomer.php parameters, and conduct an audit of recent access logs for exploitation indicators. Within 30 days: contact the vendor for an available patch or timeline, evaluate alternative warranty tracking solutions, and implement input validation/parameterized queries if source code modifications are feasible.

PHP CVE-2018-25161

Q: What is the CVSS score of CVE-2018-25161?

CVE-2018-25161 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

HIGH

SQL Injection (CWE-89)

2026-03-06 disclosure@vulncheck.com

PHP SQLi

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

8.2 (HIGH) 8.8 (HIGH)

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 09, 2026 - 13:35 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 13:15 nvd

HIGH 8.2

DescriptionNVD

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements using UNION SELECT to extract sensitive database information including usernames, database names, and version details.

AnalysisAI

Technical ContextAI

Classified as CWE-89 (SQL Injection). Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements using UNION SELECT to extract sensitive database information including usernames, database names, and version details.

Affected ProductsAI

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

CVE-2018-25161 vulnerability details – vuln.today

Back

PHP CVE-2018-25161

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

PHP CVE-2018-25161

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code