Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15004

CVE-2025-15004: DedeCMS SQL Injection Vulnerability

CVE-2025-15004 is a SQL injection vulnerability in DedeCMS affecting versions up to 5.7.118. Attackers can exploit the orderby parameter in freelist_main.php remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-15004 Overview

CVE-2025-15004 is a SQL injection vulnerability affecting DedeCMS versions up to 5.7.118. The flaw resides in the /freelist_main.php script, where attackers can manipulate the orderby argument to inject arbitrary SQL into backend queries. The attack is remotely exploitable and requires only low-level privileges, with no user interaction needed. Public exploit details have been disclosed through VulDB and external research notes, increasing the likelihood of opportunistic abuse against unpatched DedeCMS deployments.

Critical Impact

Authenticated remote attackers can inject SQL statements through the orderby parameter in /freelist_main.php, enabling unauthorized read or modification of DedeCMS database contents.

Affected Products

  • DedeCMS versions up to and including 5.7.118
  • Deployments exposing /freelist_main.php to authenticated users
  • Web applications built on the affected DedeCMS branch

Discovery Timeline

  • 2025-12-22 - CVE-2025-15004 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-15004

Vulnerability Analysis

The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). DedeCMS fails to sanitize the orderby HTTP parameter before incorporating it into a SQL query inside /freelist_main.php. Because the parameter is concatenated into the ORDER BY clause without validation against a permitted column allowlist, attackers can append arbitrary SQL syntax to alter the query structure.

Exploitation is reachable over the network and requires only low privileges. The vulnerability has an EPSS probability of 0.302%, indicating limited but non-trivial near-term exploitation activity. Successful injection allows attackers to enumerate database schema, exfiltrate stored content, or perform time-based blind extraction of credentials and session data managed by DedeCMS.

Root Cause

The root cause is the direct inclusion of user-controlled input from the orderby request parameter into a dynamic SQL statement. DedeCMS does not constrain orderby to a fixed set of sortable columns and does not apply parameter binding or escaping appropriate for SQL identifiers in this code path.

Attack Vector

An authenticated attacker issues a crafted HTTP request to /freelist_main.php with a malicious orderby value. The injected payload is appended to the ORDER BY clause of the underlying query, allowing UNION-based extraction or stacked-query manipulation depending on database configuration. No interaction from another user is required, and the attack can be automated against exposed installations.

No verified proof-of-concept code has been published in a vetted repository. Technical write-ups referenced by VulDB #337710 and the HXLab Resource Share describe parameter manipulation patterns consistent with ORDER BY-clause injection.

Detection Methods for CVE-2025-15004

Indicators of Compromise

  • HTTP requests to /freelist_main.php containing SQL keywords (UNION, SELECT, SLEEP, BENCHMARK) within the orderby parameter.
  • Anomalous database errors logged by DedeCMS referencing malformed ORDER BY clauses.
  • Outbound traffic from the web server to attacker infrastructure following suspicious requests to the affected endpoint.

Detection Strategies

  • Inspect web server access logs for orderby values that contain characters outside expected column names, such as spaces, commas, parentheses, or comment markers.
  • Deploy WAF rules that block SQL metacharacters in the orderby query parameter for DedeCMS endpoints.
  • Correlate authenticated session activity with spikes in database query duration to surface blind SQL injection attempts.

Monitoring Recommendations

  • Forward DedeCMS and database query logs to a centralized SIEM for retention and alerting.
  • Alert on repeated HTTP 500 responses from /freelist_main.php originating from a single session.
  • Track database user activity for unexpected schema enumeration queries against DedeCMS tables.

How to Mitigate CVE-2025-15004

Immediate Actions Required

  • Restrict access to /freelist_main.php to trusted networks or remove it if unused.
  • Audit DedeCMS user accounts and revoke unnecessary low-privilege access that could be leveraged for exploitation.
  • Enable database query logging to capture forensic evidence of exploitation attempts.

Patch Information

No official patch from DedeCMS has been documented in the NVD record at publication. Monitor the DedeCMS project and VulDB CTI #337710 for updates and apply vendor fixes once released.

Workarounds

  • Implement a WAF signature that validates the orderby parameter against an allowlist of permitted column names.
  • Enforce least-privilege database accounts so the DedeCMS service user cannot read sensitive tables or write outside its schema.
  • Place the application behind authenticated reverse proxies to limit exposure of administrative endpoints.
bash
# Example ModSecurity rule restricting orderby to alphanumeric identifiers
SecRule ARGS:orderby "!@rx ^[A-Za-z0-9_]{1,32}$" \
    "id:1015004,phase:2,deny,status:403,\
    msg:'CVE-2025-15004 DedeCMS orderby SQLi attempt',\
    tag:'application-multi',tag:'attack-sqli'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne