code-projects E-Commerce Website CVE-2025-11597
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects E-Commerce Website 1.0. The impacted element is an unknown function of the file /pages/product_add_qty.php. The manipulation of the argument prod_id leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in code-projects E-Commerce Website 1.0 allows authenticated remote attackers to manipulate the prod_id parameter in /pages/product_add_qty.php, potentially leading to unauthorized database access or data disclosure. The vulnerability has a CVSS score of 2.1 with low impact across confidentiality, integrity, and availability, but public exploit code exists and may lower the exploitation barrier despite the requirement for prior authentication.
Technical ContextAI
The vulnerability exists in a PHP-based e-commerce application where user-supplied input from the prod_id parameter is not properly sanitized before being incorporated into SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) violation manifesting as SQL injection. The affected file /pages/product_add_qty.php processes product quantity additions without adequate input validation or parameterized query use. The CPE cpe:2.3:a:fabian:e-commerce_website:1.0 indicates this is version 1.0 of the application, suggesting a relatively immature codebase with minimal security hardening.
RemediationAI
Apply input validation and parameterized queries to /pages/product_add_qty.php immediately. Replace direct SQL string concatenation with prepared statements or parameterized queries using PHP PDO or mysqli with bound parameters. Implement whitelist validation for the prod_id parameter to accept only numeric values if product IDs are expected to be numeric. Additionally, apply Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in the prod_id parameter as a compensating control while patches are being tested. The primary remediation requires developer review and code patching; no vendor-released patch version is documented in the provided data, so coordinate with code-projects for availability of a patched release or apply the fixes directly if source code access is available. Test all changes thoroughly in a staging environment to ensure the product quantity addition functionality remains operational after parameter binding implementation.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today