Affiliate Me 5.0.1 SQL Injection Vulnerability via Admin Panel

Advisories

severity: high
date: December 17, 2025
Affecting: Affiliate Me 5.0.1
CVE: CVE-2023-53917
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References: ExploitDB-51468
Official Vendor Homepage
Credit: h4ck3r - Faisal Albuloushi
Description: Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes.