SourceCodester Point of Sales CVE-2025-12294
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in SourceCodester Point of Sales 1.0. Impacted is an unknown function of the file /delete_category.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited.
AnalysisAI
SQL injection in SourceCodester Point of Sales 1.0 via the ID parameter in /delete_category.php allows high-privilege remote attackers to manipulate database queries. The vulnerability requires administrative credentials (PR:H) but carries low confidentiality, integrity, and availability impact. Public exploit code exists, though EPSS score (0.03%) suggests limited real-world exploitation despite public availability.
Technical ContextAI
The vulnerability stems from improper input validation in a PHP-based point-of-sales application. The /delete_category.php endpoint fails to sanitize or parameterize the ID parameter before incorporating it into SQL queries, enabling SQL injection attacks (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The affected product is janobe Point of Sales 1.0 (CPE: cpe:2.3:a:janobe:point_of_sales:1.0:*:*:*:*:*:*:*), a web application commonly deployed in small retail or restaurant environments. SQL injection in this context typically allows attackers to read, modify, or delete database records depending on database permissions and query construction.
RemediationAI
No vendor-released patch has been identified at time of analysis. Mitigation requires: (1) Upgrade to a patched version if available from SourceCodester/janobe - contact the vendor directly at www.sourcecodester.com for security advisories; (2) If upgrade is unavailable, implement input validation and parameterized queries in /delete_category.php to sanitize the ID parameter before use in SQL statements; (3) Restrict network access to the POS application via firewall rules, allowing only trusted internal networks; (4) Enforce strong, unique passwords for administrative accounts and implement multi-factor authentication to reduce the risk of credential compromise; (5) Monitor database query logs for anomalous SQL syntax in the delete_category endpoint. Given the requirement for high-privilege access, the primary mitigation strategy is administrative credential protection rather than network-level controls, though network segmentation provides defense-in-depth.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today