Affiliate Me SQL Injection Vulnerability in Admin Panel

Vulnerability

A SQL injection vulnerability has been identified in Affiliate Me version 5.0.1, specifically within the admin.php endpoint. This vulnerability allows authenticated administrators to manipulate database queries. By exploiting the 'id' parameter with crafted union-based queries, attackers can extract sensitive user information, including usernames and password hashes.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries and potentially access sensitive information such as user credentials. Additionally, a normal admin can exploit this vulnerability to escalate privileges to super admin.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a request to the admin.php endpoint with a crafted SQL injection payload in the 'id' parameter. The injected query can be designed to union select sensitive data from the database, such as usernames and password hashes.

Added: Dec 17, 2025, 11:39 PM

Updated: Dec 17, 2025, 11:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.1

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Affiliate Me SQL Injection Vulnerability in Admin Panel

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating