Skip to main content
CVE Vulnerability Database

CVE-2025-1116: Dreamvention Live AJAX Search SQLi Flaw

CVE-2025-1116 is a critical SQL injection vulnerability in Dreamvention Live AJAX Search for OpenCart up to version 1.0.6. Attackers can exploit the keyword parameter remotely. This article covers technical details, impact, and fixes.

Updated:

CVE-2025-1116 Overview

CVE-2025-1116 is a SQL injection vulnerability in the Dreamvention Live AJAX Search Free extension for OpenCart, affecting versions up to 1.0.6. The flaw resides in the searchresults/search function exposed through the /?route=extension/live_search/module/live_search.searchresults endpoint. Attackers manipulate the keyword argument to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely without authentication, and a public proof-of-concept has been disclosed. The weakness is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Remote, unauthenticated attackers can inject SQL queries through the keyword parameter, potentially exposing OpenCart store data including customer records and order information.

Affected Products

  • Dreamvention Live AJAX Search Free extension for OpenCart
  • Versions up to and including 1.0.6
  • OpenCart deployments using the vulnerable extension

Discovery Timeline

  • 2025-02-08 - CVE-2025-1116 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-1116

Vulnerability Analysis

The vulnerability exists in the live search functionality of the Dreamvention Live AJAX Search Free extension. When a user submits a search query, the extension routes the request to /?route=extension/live_search/module/live_search.searchresults and invokes the searchresults/search function. The keyword parameter is concatenated into a SQL statement without proper sanitization or parameterization. This allows an attacker to break out of the intended query context and execute arbitrary SQL commands against the OpenCart database. Because the live search endpoint is publicly reachable, no authentication or user interaction is required to trigger the flaw.

Root Cause

The root cause is improper neutralization of user-supplied input in a database query, consistent with [CWE-74]. The keyword argument flows directly from the HTTP request into a SQL statement without the use of prepared statements or input escaping. This permits SQL syntax supplied by the attacker to be interpreted as part of the query structure rather than as data.

Attack Vector

The attack vector is network-based. An attacker issues a crafted HTTP request to the live search endpoint with a malicious payload in the keyword parameter. Successful exploitation can expose product, customer, and configuration data stored in the OpenCart database. Because the vulnerable route is part of normal store browsing functionality, exploitation traffic blends with legitimate search activity. A public proof-of-concept is available; see the GitHub Gist PoC Script and VulDB entry #295022 for technical details.

Detection Methods for CVE-2025-1116

Indicators of Compromise

  • HTTP requests to /?route=extension/live_search/module/live_search.searchresults containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or -- in the keyword parameter.
  • Unusually long or encoded keyword values, or values containing hex literals and inline comments (/**/).
  • Database error messages or HTTP 500 responses correlated with live search requests.

Detection Strategies

  • Inspect web server and application logs for requests to the live_search.searchresults route with suspicious keyword patterns.
  • Deploy web application firewall (WAF) signatures targeting SQL injection payloads on the live search endpoint.
  • Correlate spikes in live search traffic from a single source IP with database error rates or slow query logs.

Monitoring Recommendations

  • Enable MySQL general query logging or slow query logging temporarily to identify malformed queries originating from the live search route.
  • Forward web server access logs to a centralized analytics platform and alert on high-entropy or oversized keyword parameters.
  • Monitor outbound database response sizes from the OpenCart application for anomalies consistent with data exfiltration.

How to Mitigate CVE-2025-1116

Immediate Actions Required

  • Disable or uninstall the Dreamvention Live AJAX Search Free extension on OpenCart stores running version 1.0.6 or earlier until a fixed version is confirmed.
  • Block direct access to the /?route=extension/live_search/module/live_search.searchresults route at the WAF or reverse proxy layer if the extension cannot be removed.
  • Review database audit logs and OpenCart application logs for prior exploitation attempts against the live search endpoint.

Patch Information

At the time of publication, no vendor patch is referenced in the NVD entry for CVE-2025-1116. Administrators should monitor the Dreamvention extension listing for an updated release and consult the VulDB advisory for further remediation guidance.

Workarounds

  • Restrict access to the live search route through IP allowlisting or authentication where feasible.
  • Deploy WAF rules that reject requests containing SQL injection signatures in the keyword parameter.
  • Apply database least-privilege controls so the OpenCart database user cannot read sensitive tables or execute administrative SQL statements.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.