E-Commerce Website
CVE-2025-11509
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/product_add.php. Performing manipulation of the argument prod_name results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
AnalysisAI
SQL injection in E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the prod_name parameter in /pages/product_add.php, leading to limited confidentiality, integrity, and availability impact. The vulnerability has low real-world risk despite public exploit availability due to low EPSS score (0.03%, 8th percentile) and requirement for prior authentication, suggesting exploitation is unlikely in typical deployments.
Technical ContextAI
The vulnerability exists in the product_add.php file where user-supplied input from the prod_name parameter is passed to a database query without proper sanitization or parameterized statements, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The affected product is code-projects E-Commerce Website version 1.0 (CPE: cpe:2.3:a:fabian:e-commerce_website:1.0). While classified as SQL injection, the CVSS 4.0 vector indicates only low-impact confidentiality, integrity, and availability consequences (VC:L/VI:L/VA:L) rather than complete system compromise, suggesting either limited database access or restricted query execution context.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate remediation requires applying input validation and parameterized queries to the prod_name parameter in /pages/product_add.php. Use prepared statements with bound parameters to prevent SQL injection, implement strict input validation against expected product name formats (alphanumeric, length limits), and apply output encoding if product names are displayed in web responses. As an interim compensating control, restrict access to /pages/product_add.php to authorized administrative users via web application firewall (WAF) rules or network-level access controls, accepting that this limits legitimate product catalog management. Alternatively, disable the product add functionality entirely if not in active use. Consult https://vuldb.com/?ctiid.327634 and the public exploit at https://github.com/Blowingwinds/cve-report/blob/main/cve1/report.md for detailed attack vectors to guide testing of fixes.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today