CVE-2025-10967
📋 TL;DR
This CVE describes a SQL injection vulnerability in MuFen-mker PHP-Usermm software affecting the /chkuser.php endpoint. Attackers can manipulate the Username parameter to execute arbitrary SQL commands, potentially compromising the database. All users of PHP-Usermm up to commit 37f2d24e51b04346dfc565b93fc2fc6b37bdaea9 are affected.
💻 Affected Systems
- MuFen-mker PHP-Usermm
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, credential theft, and potential authentication bypass leading to account takeover.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.
🎯 Exploit Status
The exploit is publicly available and can be executed remotely without authentication. SQL injection vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative software or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for the Username parameter in /chkuser.php
Edit /chkuser.php to add: $username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns
Add WAF rule: SecRule ARGS:Username "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Disable or restrict access to /chkuser.php endpoint
- Implement network segmentation and isolate the affected system
🔍 How to Verify
Check if Vulnerable:
Test the /chkuser.php endpoint with SQL injection payloads like: Username=' OR '1'='1Check Version:
Check git commit hash: git log --oneline -1Verify Fix Applied:
Test with the same payloads and verify they are rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts with SQL patterns
- Access to /chkuser.php with suspicious parameters
Network Indicators:
- HTTP POST requests to /chkuser.php containing SQL keywords (UNION, SELECT, etc.)
- Unusual database connection patterns
SIEM Query:
source="web_logs" AND uri="/chkuser.php" AND (Username="*UNION*" OR Username="*SELECT*" OR Username="*OR*1=1*")