Blind SQL Injection in Ultimate Project Manager CRM PRO by CodeXCube
CVE-2020-37004

8.2NONE

Key Information:

Vendor: Codexcube
Status: Ultimate Project Manager Crm Pro
Vendor: CVE Published:; 29 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-37004?

The Ultimate Project Manager CRM PRO 2.0.5 is susceptible to a blind SQL injection vulnerability. This flaw can be exploited through the /frontend/get_article_suggestion/ endpoint, allowing malicious users to craft specially designed search parameters. By utilizing boolean-based inference techniques, attackers can guess and extract sensitive information, including usernames and password hashes, from the tbl_users database table. It is crucial for users and administrators of this platform to implement appropriate security measures to mitigate the risk of credential exposure.

Affected Version(s)

Ultimate Project Manager CRM PRO <= 2.0.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-37004 - Proof of Concept

References

https://www.exploit-db.com/exploits/48912

exploit

https://ultimatepro.codexcube.com/

product

https://www.vulncheck.com/advisories/ultimate-project-man...

third-party-advisory

CVSS V4

Score:

Severity:

NONE

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jan 29, 2026
👾
Exploit known to exist
Jan 29, 2026
Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

nag0mez

CVE-2020-37004 Data

JSON

Codexcube

Badges

What is CVE-2020-37004?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit