CVE-2026-15490

RafyMrX · TOKO-ONLINE-ROTI

A SQL injection vulnerability in RafyMrX TOKO-ONLINE-ROTI allows remote attackers to execute arbitrary SQL commands via the 'kode_produk' or 'kd_cs' arguments in 'proses/add.php'.

Executive summary

A critical SQL injection vulnerability in RafyMrX TOKO-ONLINE-ROTI allows remote, unauthenticated attackers to manipulate database queries, posing a significant risk of data compromise.

Vulnerability

This is a SQL Injection vulnerability (CWE-89) located in the 'proses/add.php' file. The application fails to properly sanitize the 'kode_produk' and 'kd_cs' input parameters, allowing an unauthenticated remote attacker to inject malicious SQL commands.

Business impact

With a CVSS score of 7.3, this vulnerability represents a high risk to the confidentiality and integrity of the application's backend database. Successful exploitation could lead to unauthorized access to sensitive customer information, modification of order data, or complete database compromise, potentially resulting in significant reputational and operational damage.

Remediation

Immediate Action: As no official patch is currently available from the vendor, administrators should restrict access to 'proses/add.php' and implement strict input validation for all parameters.

Proactive Monitoring: Monitor server access logs for anomalous URL patterns, specifically those containing SQL syntax or unusual characters in the 'kode_produk' or 'kd_cs' fields.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns targeting the identified script.

Exploitation status

Public Exploit Available: Yes — a public exploit has been released.

Analyst recommendation

Given the availability of a public exploit and the lack of a vendor-provided patch, this vulnerability must be treated with high urgency. Organizations utilizing this software should implement WAF-based blocking immediately and consider isolating the affected component until a formal update is released by the developer.