SQL Injection Vulnerability in WCMS 11 from Vendor Unknown
CVE-2025-3799

6.9MEDIUM

Key Information:

Vendor

Unknown

Status
Wcms
Vendor
CVE Published:
19 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-3799?

A vulnerability has been identified in WCMS 11, specifically in the AnonymousController.php file. This weakness enables an attacker to manipulate input parameters such as email or username, culminating in SQL injection attacks. Since the exploit can be executed remotely, it opens a potential pathway for attackers to compromise the system. There are indications that other parameters may also be vulnerable, amplifying the risk to the application. The vulnerability has been publicly disclosed, necessitating immediate attention from users to secure their systems.

Affected Version(s)

WCMS 11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-3799 - Proof of Concept

References

https://vuldb.com/?id.305652
vdb-entrytechnical-description
https://vuldb.com/?ctiid.305652
signaturepermissions-required
https://vuldb.com/?submit.554697
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

icefoxh (VulDB User)
.