Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3.
AnalysisAI
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. The vendor has released version 1.0.8.3 to address this issue.
Technical ContextAI
The vulnerability affects Vvveb CMS, an open-source content management system with page builder functionality. The issue stems from improper neutralization of special elements in SQL commands (CWE-89) where user-supplied input from URL parameters is directly concatenated into the ORDER BY clause in the OrderSQL::getAll() method. This classic SQL injection pattern occurs when dynamic query construction lacks parameterization or input validation, allowing attackers to modify the intended SQL logic.
RemediationAI
Upgrade to Vvveb CMS version 1.0.8.3 or later, which contains the vendor fix for this SQL injection vulnerability. The patch is available through the official Vvveb GitHub repository as documented in security advisory GHSA-vwcx-w4fq-9769. As an immediate workaround until patching is possible, consider restricting access to the /user/orders endpoint or implementing web application firewall rules to filter potentially malicious order_by and direction parameter values, though this may impact legitimate sorting functionality.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allo
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30582