SQL Injection Vulnerability in Dreamvention Live AJAX Search for OpenCart
CVE-2025-1116

6.9MEDIUM

Key Information:

Vendor

Dreamvention

Status
Live Ajax Search Free
Vendor
CVE Published:
8 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-1116?

A SQL injection vulnerability has been identified in the Dreamvention Live AJAX Search Free module for OpenCart, specifically within the searchresults/search function in the live_search.searchresults file. By manipulating the 'keyword' argument, an attacker can execute unauthorized SQL commands, potentially leading to data exposure or database compromise. This vulnerability is of significant concern due to its remote exploitation capability and the public disclosure of the exploit details, which heightens the risk for affected installations.

Affected Version(s)

Live AJAX Search Free 1.0.0

Live AJAX Search Free 1.0.1

Live AJAX Search Free 1.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-1116 - Proof of Concept

References

https://vuldb.com/?id.295022
vdb-entrytechnical-description
https://vuldb.com/?ctiid.295022
signaturepermissions-required
https://vuldb.com/?submit.492051
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

mcdruid (VulDB User)
.