PKP-WAL 3.5.0-1 SQL Injection

PKP-WAL 3.5.0-1 is vulnerable to a critical SQL Injection flaw. PKP-WAL 3.5.0-1 is vulnerable to a critical SQL Injection flaw. This PHP-based web application, often used for knowledge bases, allows attackers to manipulate database queries through unvalidated user input.

Typically, this occurs in parameters like `id` or `category` within the URL. By injecting malicious SQL code, an attacker can gain unauthorized access to the underlying database. This allows for data exfiltration (e.g., user credentials, sensitive information), data modification, or even full database compromise.

The vulnerability stems from a lack of proper input sanitization and parameterized queries. Users are advised to update to a patched version or implement robust input validation to mitigate this severe flaw.

----------------------------------------------------------------------
PKP-WAL <= 3.5.0-1 (Institution Collector) SQL Injection Vulnerability
----------------------------------------------------------------------


[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib


[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-9
and prior versions, and version 3.5.0-1 and prior versions, as used in
Open Journal Systems (OJS), Open Monograph Press (OMP), and Open
Preprint Systems (OPS).


[-] Vulnerability Description:

The vulnerability is located in the /classes/institution/Collector.php
script. Specifically, into the Collector::getQueryBuilder() method,
where user input passed through the "searchPhrase" GET parameter is
not properly sanitized before being used to construct a SQL query at
lines 143 and 148 by leveraging the DB::raw() method. This can be
exploited by malicious users to e.g. read sensitive data from the
database through boolean-based or time-based SQL Injection attacks.

Successful exploitation of this vulnerability requires an account with
permissions to access the .../api/v1/institutions API endpoint, such
as a "Journal Editor" or "Production Editor" user account on OJS.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-67889.php


[-] Solution:

Upgrade to versions 3.4.0-10, 3.5.0-2, or later.


[-] Disclosure Timeline:

[25/10/2025] - Vendor notified
[26/10/2025] - Vendor fixed the issue and opened a public GitHub
issue: https://github.com/pkp/pkp-lib/issues/11977
[12/11/2025] - CVE identifier requested
[18/11/2025] - Version 3.4.0-10 released
[12/12/2025] - CVE identifier assigned
[29/11/2025] - Version 3.5.0-2 released
[23/12/2025] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67889 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-10