HIGH 8.2

CVE-2018-25385: Unauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10

E-Registrasi Pencak Silat version 18.10 contains an SQL injection flaw that allows attackers without credentials to retrieve sensitive data from the application's database. By crafting malicious requests to the monitor_nilai.php endpoint, an attacker can inject SQL commands through the id_partai parameter to extract admin credentials, user records, and other protected information. No authentication is required to attempt this attack.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai parameter. Attackers can send GET requests to monitor_nilai.php with crafted SQL payloads in the id_partai parameter to extract sensitive database information including admin credentials and user data.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25385 is an unauthenticated SQL injection vulnerability in E-Registrasi Pencak Silat 18.10 affecting the monitor_nilai.php script. The vulnerability exists in the id_partai parameter, which fails to properly sanitize or parameterize user input before incorporating it into SQL queries (CWE-89). Attackers can submit GET requests with crafted SQL payloads to bypass authentication controls and execute arbitrary queries against the backend database. The attack surface is network-accessible and requires no special privileges or user interaction.

Business impact

Successful exploitation enables complete compromise of the application's data confidentiality. Admin credentials exposure directly threatens administrative account takeover, allowing attackers to modify application behavior, create backdoor accounts, or escalate further within the hosting environment. User data extraction creates secondary risks including identity theft, credential reuse attacks, and regulatory compliance violations. The vulnerability affects registration and scoring functions in what appears to be a martial arts competition management system, risking operational disruption during events and reputational damage.

Affected systems

E-Registrasi Pencak Silat version 18.10 is confirmed affected. Organizations running this application—typically Indonesian martial arts (Pencak Silat) organizations managing competitions and participant registration—should verify their current deployment version immediately. Vendor confirmation of affected version scope and availability of patches has not been independently verified in this advisory.

Exploitability

This vulnerability is straightforward to exploit. No authentication, special configuration, or user interaction is required. The attack uses standard HTTP GET requests with URL-encoded SQL payloads, making it accessible to relatively unsophisticated attackers using common web testing tools. Network accessibility (AV:N) and low attack complexity (AC:L) mean that remote exploitation is practical at scale. No public exploit code or KEV status has been recorded, but the simplicity of SQL injection attacks and the lack of technical barriers suggest exploitation risk is elevated.

Remediation

Immediate action is required. Organizations must contact the E-Registrasi Pencak Silat vendor or development team to obtain and deploy a patched version addressing the SQL injection. If updates are unavailable, implement emergency mitigations: restrict network access to monitor_nilai.php using web application firewall (WAF) rules or network-level controls, disable or isolate the affected application if business continuity permits, and audit database logs for signs of exploitation. Parameterized queries and prepared statements must replace string concatenation in the vulnerable code path.

Patch guidance

Verify the availability of patches directly from the E-Registrasi Pencak Silat vendor or development team. Apply any released security update to production systems only after testing in a staging environment that mirrors production data and configuration. Given the HIGH CVSS score and ease of exploitation, patch deployment should be expedited within your change management window. If the application is no longer actively maintained, evaluate migration to alternative registration platforms with active security support.

Detection guidance

Monitor access logs to monitor_nilai.php for unusual GET request patterns, particularly those containing SQL syntax characters (single quotes, double dashes, UNION, SELECT, OR, DROP) in the id_partai parameter. Database audit logs should be reviewed for unexpected query execution, failed login attempts, or access to sensitive tables outside normal application patterns. Implement network-based detection rules to flag requests to this endpoint with SQL metacharacters. If available, enable query logging at the database layer to record all executed statements for forensic analysis.

Why prioritize this

HIGH CVSS (8.2) reflects the combination of unauthenticated network access, low attack complexity, and high confidentiality impact. SQL injection remains among the most reliably exploitable web vulnerabilities. Exposure of admin credentials directly enables full system compromise. This should be treated as critical unless the affected application is air-gapped or genuinely non-production.

Risk score, explained

CVSS 3.1 score of 8.2 (HIGH) is driven by: AV:N (network-accessible, no physical access required), AC:L (standard SQL injection techniques), PR:N (no authentication needed), UI:N (no user interaction required), S:U (scope unchanged), C:H (confidential data fully compromised), I:L (integrity slightly affected—potential for data modification through SQL), and A:N (availability not directly impacted). The score appropriately reflects the practical risk: easy remote exploitation with direct credential theft potential.

Frequently asked questions

How do I know if my system is running the vulnerable version?

E-Registrasi Pencak Silat 18.10 is confirmed vulnerable. Check your application deployment for the version number in configuration files, administration panels, or by contacting your application administrator. If you are running version 18.10, assume the system is vulnerable unless a vendor security patch has been explicitly applied.

Can this vulnerability be exploited from outside our network?

Yes. The attack uses standard HTTP requests accessible over the internet. If your E-Registrasi Pencak Silat instance is web-facing or reachable from untrusted networks, it can be attacked remotely without requiring any prior access. Even if behind a firewall, insider threats and compromised internal systems can exploit it.

What data is most at risk?

Admin credentials and user registration data are explicitly mentioned as extractable. In a competition registration system, this typically includes participant names, addresses, contact information, team affiliations, payment records, and score data. If the database stores medical information or sensitive identification numbers, those are equally vulnerable to extraction.

Is there a temporary workaround if I cannot patch immediately?

Temporary mitigations include: restricting access to monitor_nilai.php using a Web Application Firewall (WAF) to block requests containing SQL syntax, limiting network access to the application to trusted IPs only, and disabling the vulnerable functionality if business-critical operations do not depend on it. These are not substitutes for patching—they buy time for proper remediation planning.

This advisory is provided for informational purposes. SEC.co does not confirm product lineage, patch availability, or deployment scope beyond the information stated. Organizations should verify affected version numbers against vendor documentation and test any patches in staging environments before production deployment. Exploitation details are intentionally limited to prevent weaponization; consult your security operations center or vendor for specific incident response procedures. No guarantee is made regarding the completeness or accuracy of detection signatures provided—tailor detection rules to your environment and baseline traffic patterns. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).