Vvveb
CVE-2025-11944
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of the file admin/controller/tools/import.php of the component Raw SQL Handler. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 52204b4a106b2fb02d16eee06a88a1f2697f9b35. It is recommended to apply a patch to fix this issue.
AnalysisAI
SQL injection in Vvveb up to version 1.0.7.3 allows authenticated high-privileged remote attackers to execute arbitrary SQL queries through the Raw SQL Handler import function in admin/controller/tools/import.php. The vulnerability requires administrative credentials and has been publicly disclosed with exploit code available, though EPSS modeling indicates low real-world exploitation probability at 0.04%.
Technical ContextAI
Vvveb is a PHP-based visual website builder. The vulnerability exists in the Raw SQL Handler component's Import function, which processes user-supplied SQL input without proper sanitization or parameterized query usage. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection') indicates the root cause is failure to neutralize SQL metacharacters before passing them to a SQL execution context. The affected component accepts raw SQL input at admin/controller/tools/import.php, which is designed to allow administrators to import database structures but lacks input validation. The attack vector is network-accessible but restricted to authenticated high-privilege users (PR:H in CVSS 4.0), meaning the attacker must first obtain or compromise an administrator account.
RemediationAI
Upgrade Vvveb to a version released after commit 52204b4a106b2fb02d16eee06a88a1f2697f9b35 (exact version number not independently confirmed; verify with vendor for next stable release). This patch sanitizes SQL input in the Raw SQL Handler import function. As an interim compensating control, restrict network access to the admin/controller/tools/import.php endpoint using firewall rules or web application firewall (WAF) to limit access to trusted internal networks only; this reduces remote attack surface while maintaining administrative functionality. Additionally, implement strict administrative access controls: enforce multi-factor authentication (MFA) for administrator accounts, conduct regular access reviews to remove unnecessary high-privilege accounts, and enable comprehensive audit logging of all administrative actions including import function usage. These controls address the high-privilege requirement (PR:H) that limits real-world exploitation. Monitor application logs for SQL error messages or unusual import activity that may indicate exploitation attempts.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today