CVE-2025-3676 – This critical SQL injection vulnerability in xx... (How to Fix)

Q: What is the severity of CVE-2025-3676?

CVE-2025-3676 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in xxyopen Novel-Plus allows attackers to manipulate database queries through the /api/front/search/books endpoint. Remote attackers can potentially read, modify, or delete database content. All users running Novel-Plus 3.5.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in xxyopen Novel-Plus allows attackers to manipulate database queries through the /api/front/search/books endpoint. Remote attackers can potentially read, modify, or delete database content. All users running Novel-Plus 3.5.0 are affected.

💻 Affected Systems

Products:

xxyopen Novel-Plus

Versions: 3.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the /api/front/search/books endpoint specifically through the 'sort' parameter.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the 'sort' parameter to only allow expected values

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns targeting the /api/front/search/books endpoint

🧯 If You Can't Patch

Restrict network access to the Novel-Plus application to trusted IP addresses only
Implement database user with minimal permissions (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the /api/front/search/books endpoint with SQL injection payloads in the 'sort' parameter and observe database errors or unexpected behavior

Check Version:

Check Novel-Plus version in application configuration or admin panel

Verify Fix Applied:

Test with SQL injection payloads and verify they are rejected or sanitized without affecting database operations

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in request parameters
Database error messages in application logs
Multiple rapid requests to /api/front/search/books

Network Indicators:

SQL keywords in HTTP POST/GET parameters
Unusual database query patterns from application server

SIEM Query:

source="novel-plus-logs" AND (url_path="/api/front/search/books" AND (param="sort" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--"))

📊 Metadata

CVE ID: CVE-2025-3676

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.22% exploit probability (44.9th percentile)

Published: April 16, 2025

Last Updated: April 23, 2025

🔗 References

https://github.com/mapl3miss/novel-SQLi/blob/main/novelCMS-sqli.md Exploit
https://vuldb.com/?ctiid.304965 Permissions Required,VDB Entry
https://vuldb.com/?id.304965 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.551950 Third Party Advisory,VDB Entry
https://github.com/mapl3miss/novel-SQLi/blob/main/novelCMS-sqli.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3676, you might also want to check these: