Is there a public PoC exploit available for CVE-2025-12287?

Yes, a public proof-of-concept exploit is available for CVE-2025-12287. Prioritise patching immediately. EPSS: 0.0%.

Bdtask Wholesale Inventory Control CVE-2025-12287

Q: What is the CVSS score of CVE-2025-12287?

CVE-2025-12287 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-27 cna@vuldb.com

SQLi Wholesale

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:32 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Bdtask Wholesale Inventory Control and Inventory Management System up to 20251013. This impacts an unknown function of the file /Admin_dashboard/edit_profile. Such manipulation of the argument first_name/last_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Bdtask Wholesale Inventory Control and Inventory Management System up to version 20251013 allows high-privileged remote attackers to manipulate the first_name and last_name parameters in the /Admin_dashboard/edit_profile endpoint, leading to unauthorized database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

Technical ContextAI

The vulnerability exists in the admin profile editing functionality at /Admin_dashboard/edit_profile, where user-supplied input in the first_name and last_name parameters is insufficiently sanitized before being incorporated into SQL queries. This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an Output Command) where an attacker with high-privilege administrative access can craft malicious input containing SQL metacharacters to alter query logic. The affected product is identified via CPE as cpe:2.3:a:bdtask:wholesale:*:*:*:*:*:*:*:*, indicating the entire Bdtask Wholesale product line up to version 20251013 is in scope.

RemediationAI

Upgrade to a patched version of Bdtask Wholesale Inventory Control released after version 20251013. If no patched version is yet available from the vendor, implement immediate compensating controls: (1) Restrict access to the /Admin_dashboard/edit_profile endpoint via Web Application Firewall (WAF) rules to permit only legitimate administrative IP ranges, accepting the trade-off of reduced flexibility for remote admin access; (2) Enable SQL query logging and alerting on the database layer to detect unusual SQL patterns in profile editing operations; (3) Enforce principle of least privilege by auditing and removing unnecessary administrative accounts, reducing the number of users who can trigger this vulnerability. Apply input validation at the application layer to reject first_name and last_name parameters containing SQL metacharacters (', ", --, ;, /*) until a vendor patch is released. Contact Bdtask directly for patch timeline given vendor non-responsiveness to date.

CVE-2025-12287 vulnerability details – vuln.today

Back