E-Commerce Website
CVE-2025-11511
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in code-projects E-Commerce Website 1.0. Affected is an unknown function of the file /pages/supplier_add.php. Executing manipulation of the argument supp_email can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
AnalysisAI
SQL injection in E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the supp_email parameter in /pages/supplier_add.php, achieving limited information disclosure and integrity violation. The vulnerability requires login credentials (PR:L in CVSS 4.0 vector) but can be exploited over the network with low complexity. Publicly available exploit code exists, though EPSS scoring (0.03%) suggests minimal real-world exploitation despite proof-of-concept availability.
Technical ContextAI
The vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output) in a PHP-based e-commerce application. The supp_email parameter in /pages/supplier_add.php accepts unsanitized user input that is incorporated into SQL queries without proper parameterization or escaping. The CVSS 4.0 vector indicates this is a network-accessible endpoint (AV:N) with low attack complexity (AC:L), but limited scope - the attacker gains low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L) rather than full database compromise. The CPE cpe:2.3:a:fabian:e-commerce_website:1.0 confirms the specific affected product version.
RemediationAI
Apply input validation and parameterized queries to /pages/supplier_add.php immediately. Replace direct string concatenation in SQL queries with prepared statements (parameterized queries) using PHP PDO or MySQLi prepared statement APIs. Validate the supp_email parameter against a strict email regex pattern on both client and server side before use in SQL. As a compensating control if code patching is delayed, implement Web Application Firewall (WAF) rules to block requests containing SQL keywords or special characters (quotes, dashes, comments) in the supp_email field, though this may block legitimate email addresses with plus-signs or underscores. Contact the vendor (fabian/code-projects.org) for an updated release; no patched version has been publicly announced at time of analysis.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today