CVE Alert: CVE-2025-10115 – n/a – SiempreCMS
CVE-2025-10115
A vulnerability was determined in SiempreCMS up to 1.3.6. This affects an unknown part of the file user_search_ajax.php. This manipulation of the argument name/userName causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection in SiempreCMS with a publicly disclosed exploit and PoC; no authentication required, making rapid remote access feasible.
Why this matters
Web-facing deployments of SiempreCMS are exposed to data exposure or modification if the endpoint is targeted. Although CVSS base metrics show low impact per asset, the remote, unauthenticated access enabled by this flaw lowers the barrier for attackers and can affect multiple sites sharing the CMS.
Most likely attack path
An attacker targets the name/userName parameter in user_search_ajax.php over the network, delivering crafted input to induce SQL injection. No user interaction or privileges are needed, and the attack remains within the CMS’s database context, with potential data exfiltration or tampering. The presence of a PoC indicates practical viability.
Who is most exposed
Sites running SiempreCMS 1.3.x with publicly reachable search AJAX endpoints are most at risk, especially on shared or low-security hosting where exposure to internet traffic is routine.
Detection ideas
- Web/server logs show anomalous queries against user_search_ajax.php with SQLi patterns.
- Increased or abnormal database query times linked to that endpoint.
- WAF/IDS alerts for SQL injection payloads targeting the endpoint.
- Repeated access to the endpoint from diverse IPs with suspicious parameter strings.
- Signs of data retrieval or unexpected responses from the CMS database.
Mitigation and prioritisation
- Apply the official patch or upgrade to a fixed release (1.3.7+); verify remediation across affected instances.
- If patching is not feasible, implement strict WAF rules to block SQLi attempts on the endpoint or temporarily disable the endpoint.
- Enforce prepared statements/parameterised queries and input validation; audit the user_search_ajax.php code.
- Principle of least privilege: restrict the web app’s DB account to essential operations only.
- Plan testing in staging before deployment; monitor logs post-pix for repeat attempts; update incident response playbooks accordingly.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.

 
                       
                      ![[QILIN] - Ransomware Victim: Samera Health 3 image](https://www.redpacketsecurity.com/wp-content/uploads/2024/09/image-300x300.png) 
                       
