Seacms <13.3 is vulnerable to SQL Injection in admin_pay.php.
The vulnerability consists of insufficient validation and sanitization of input data passed to SQL queries in the admin_pay.php file. An attacker can inject malicious SQL code over the network without needing to have an account or user interaction. This allows manipulation of database queries in a manner not intended by the application.
An attacker can gain unauthorized access to sensitive data stored in the database, as well as modify or delete its contents. Under favorable conditions, complete takeover of the database system is also possible.
SeaCMS should be updated to version 13.3 or newer. If immediate update is not possible, it is recommended to restrict access to the admin_pay.php file at the firewall or web server level and implement WAF rules blocking SQL Injection attempts.
SeaCMS in versions prior to 13.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSeacms
APPSeacms≤ 13.3
Related vulnerabilities
SQL injection w SeaCMS v13.3 — komponent admin_comment_news.php
SQL injection w SeaCMS v13.3 — komponent admin_topic.php
SQL injection w SeaCMS v13.3 — komponent admin_manager.php
RCE w SeaCMS v13.3 przez komponent phomebak.php
SQL injection w SeaCMS v13.3 — komponent admin_tempvideo.php