Wecodex Hotel CMS SQL Injection Vulnerability in Admin Login
Vulnerability
An SQL injection vulnerability has been identified in Wecodex Hotel CMS version 1.0, specifically within the admin login feature. This vulnerability allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter in POST requests to index.php, with action set to processlogin. Exploitation of this vulnerability could lead to unauthorized administrative access or the extraction of sensitive database information.
Impact
Exploitation of this vulnerability could allow attackers to bypass authentication and gain unauthorized administrative access, potentially leading to further exploitation of the application or its underlying database.
Reproduction
To reproduce this vulnerability, send a POST request to the admin login endpoint (index.php?action=processlogin) with a crafted SQL payload in the username parameter. The injected SQL code can be used to manipulate the application's database queries, bypass authentication, and access administrative privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.