CVE-2018-25385: Unauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
E-Registrasi Pencak Silat version 18.10 contains an SQL injection flaw that allows attackers without credentials to retrieve sensitive data from the application's database. By crafting malicious requests to the monitor_nilai.php endpoint, an attacker can inject SQL commands through the id_partai parameter to extract admin credentials, user records, and other protected information. No authentication is required to attempt this attack.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai parameter. Attackers can send GET requests to monitor_nilai.php with crafted SQL payloads in the id_partai parameter to extract sensitive database information including admin credentials and user data.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25385 is an unauthenticated SQL injection vulnerability in E-Registrasi Pencak Silat 18.10 affecting the monitor_nilai.php script. The vulnerability exists in the id_partai parameter, which fails to properly sanitize or parameterize user input before incorporating it into SQL queries (CWE-89). Attackers can submit GET requests with crafted SQL payloads to bypass authentication controls and execute arbitrary queries against the backend database. The attack surface is network-accessible and requires no special privileges or user interaction.
Business impact
Successful exploitation enables complete compromise of the application's data confidentiality. Admin credentials exposure directly threatens administrative account takeover, allowing attackers to modify application behavior, create backdoor accounts, or escalate further within the hosting environment. User data extraction creates secondary risks including identity theft, credential reuse attacks, and regulatory compliance violations. The vulnerability affects registration and scoring functions in what appears to be a martial arts competition management system, risking operational disruption during events and reputational damage.
Affected systems
E-Registrasi Pencak Silat version 18.10 is confirmed affected. Organizations running this application—typically Indonesian martial arts (Pencak Silat) organizations managing competitions and participant registration—should verify their current deployment version immediately. Vendor confirmation of affected version scope and availability of patches has not been independently verified in this advisory.
Exploitability
This vulnerability is straightforward to exploit. No authentication, special configuration, or user interaction is required. The attack uses standard HTTP GET requests with URL-encoded SQL payloads, making it accessible to relatively unsophisticated attackers using common web testing tools. Network accessibility (AV:N) and low attack complexity (AC:L) mean that remote exploitation is practical at scale. No public exploit code or KEV status has been recorded, but the simplicity of SQL injection attacks and the lack of technical barriers suggest exploitation risk is elevated.
Remediation
Immediate action is required. Organizations must contact the E-Registrasi Pencak Silat vendor or development team to obtain and deploy a patched version addressing the SQL injection. If updates are unavailable, implement emergency mitigations: restrict network access to monitor_nilai.php using web application firewall (WAF) rules or network-level controls, disable or isolate the affected application if business continuity permits, and audit database logs for signs of exploitation. Parameterized queries and prepared statements must replace string concatenation in the vulnerable code path.
Patch guidance
Verify the availability of patches directly from the E-Registrasi Pencak Silat vendor or development team. Apply any released security update to production systems only after testing in a staging environment that mirrors production data and configuration. Given the HIGH CVSS score and ease of exploitation, patch deployment should be expedited within your change management window. If the application is no longer actively maintained, evaluate migration to alternative registration platforms with active security support.
Detection guidance
Monitor access logs to monitor_nilai.php for unusual GET request patterns, particularly those containing SQL syntax characters (single quotes, double dashes, UNION, SELECT, OR, DROP) in the id_partai parameter. Database audit logs should be reviewed for unexpected query execution, failed login attempts, or access to sensitive tables outside normal application patterns. Implement network-based detection rules to flag requests to this endpoint with SQL metacharacters. If available, enable query logging at the database layer to record all executed statements for forensic analysis.
Why prioritize this
HIGH CVSS (8.2) reflects the combination of unauthenticated network access, low attack complexity, and high confidentiality impact. SQL injection remains among the most reliably exploitable web vulnerabilities. Exposure of admin credentials directly enables full system compromise. This should be treated as critical unless the affected application is air-gapped or genuinely non-production.
Risk score, explained
CVSS 3.1 score of 8.2 (HIGH) is driven by: AV:N (network-accessible, no physical access required), AC:L (standard SQL injection techniques), PR:N (no authentication needed), UI:N (no user interaction required), S:U (scope unchanged), C:H (confidential data fully compromised), I:L (integrity slightly affected—potential for data modification through SQL), and A:N (availability not directly impacted). The score appropriately reflects the practical risk: easy remote exploitation with direct credential theft potential.
Frequently asked questions
How do I know if my system is running the vulnerable version?
E-Registrasi Pencak Silat 18.10 is confirmed vulnerable. Check your application deployment for the version number in configuration files, administration panels, or by contacting your application administrator. If you are running version 18.10, assume the system is vulnerable unless a vendor security patch has been explicitly applied.
Can this vulnerability be exploited from outside our network?
Yes. The attack uses standard HTTP requests accessible over the internet. If your E-Registrasi Pencak Silat instance is web-facing or reachable from untrusted networks, it can be attacked remotely without requiring any prior access. Even if behind a firewall, insider threats and compromised internal systems can exploit it.
What data is most at risk?
Admin credentials and user registration data are explicitly mentioned as extractable. In a competition registration system, this typically includes participant names, addresses, contact information, team affiliations, payment records, and score data. If the database stores medical information or sensitive identification numbers, those are equally vulnerable to extraction.
Is there a temporary workaround if I cannot patch immediately?
Temporary mitigations include: restricting access to monitor_nilai.php using a Web Application Firewall (WAF) to block requests containing SQL syntax, limiting network access to the application to trusted IPs only, and disabling the vulnerable functionality if business-critical operations do not depend on it. These are not substitutes for patching—they buy time for proper remediation planning.
This advisory is provided for informational purposes. SEC.co does not confirm product lineage, patch availability, or deployment scope beyond the information stated. Organizations should verify affected version numbers against vendor documentation and test any patches in staging environments before production deployment. Exploitation details are intentionally limited to prevent weaponization; consult your security operations center or vendor for specific incident response procedures. No guarantee is made regarding the completeness or accuracy of detection signatures provided—tailor detection rules to your environment and baseline traffic patterns. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25398HIGHUnauthenticated SQL Injection in Open ISES Project 3.30A