Web-Based Inventory and POS System
CVE-2025-11431
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects Web-Based Inventory and POS System 1.0. The impacted element is an unknown function of the file /transaction.php. This manipulation of the argument shopid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
SQL injection in code-projects Web-Based Inventory and POS System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the shopid parameter in /transaction.php, resulting in limited data confidentiality, integrity, and availability impact. The CVSS 2.1 score reflects low severity due to authentication requirement and constrained scope, but publicly available exploit code exists and the vulnerability has been publicly disclosed.
Technical ContextAI
The vulnerability exists in /transaction.php, a PHP web application component, where user-supplied input from the shopid parameter is not properly sanitized before being incorporated into SQL queries. This represents improper neutralization of special elements used in an SQL command (CWE-74), a subset of SQL injection attacks. The web-based inventory and point-of-sale system likely passes the shopid parameter directly to database queries without parameterized statement use or input validation, enabling SQL syntax injection. The application architecture involves PHP backend processing HTTP requests and executing database operations, typical of lightweight e-commerce or retail management platforms.
RemediationAI
Contact the vendor at code-projects.org to inquire about patched releases or upgrade guidance; no vendor-released patch version is currently identified. Until a vendor patch is available, implement the following compensating controls: restrict database user account permissions to execute only SELECT queries on necessary tables and deny CREATE, DROP, ALTER, or DELETE privileges, limiting the scope of SQL injection impact; implement Web Application Firewall (WAF) rules to detect and block SQL syntax patterns in the shopid parameter (watch for single quotes, UNION, SELECT, OR 1=1, etc.); enforce strong access controls to limit system authentication to trusted staff only, reducing the window of insider threat exploitation; and consider disabling the /transaction.php endpoint if its functionality is not critical, reverting to alternative transaction logging mechanisms. Each mitigation has trade-offs: WAF rules may produce false positives if legitimate data contains SQL-like strings; restricting database permissions requires application testing to ensure no legitimate queries fail; limiting authentication access may impact operational efficiency.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today