Is there a public PoC exploit available for CVE-2025-14898?

Yes, a public proof-of-concept exploit is available for CVE-2025-14898. Prioritise patching immediately. EPSS: 0.0%.

CodeAstro Real Estate Management System CVE-2025-14898

Q: What is the CVSS score of CVE-2025-14898?

CVE-2025-14898 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-19 cna@vuldb.com

PHP SQLi Real Estate Management System

2.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:48 vuln.today

DescriptionNVD

A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privilege administrators to execute arbitrary SQL queries via the /admin/userbuilderdelete.php endpoint. The vulnerability requires authenticated administrator access (CVSS PR:H) and affects only confidentiality and integrity with low impact. Publicly available exploit code exists, though exploitation is limited by the requirement for valid high-privilege credentials and carries low real-world risk due to EPSS score of 0.05% and the attacker profile (malicious insiders with admin accounts).

Technical ContextAI

The vulnerability is a SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application component. The affected file /admin/userbuilderdelete.php fails to properly sanitize or parameterize user input before constructing SQL queries, allowing authenticated administrators to inject arbitrary SQL syntax. The CodeAstro Real Estate Management System 1.0 (CPE: cpe:2.3:a:codeastro:real_estate_management_system:1.0:*:*:*:*:*:*:*) is a PHP application likely using a traditional SQL database backend without prepared statement protections in this specific endpoint. The attack vector is network-based but requires valid administrative credentials to access the protected endpoint.

RemediationAI

Apply vendor security update if available from CodeAstro at https://codeastro.com/ to patch the SQL injection in /admin/userbuilderdelete.php. If no patched version is available or deployment cannot be immediately upgraded, implement parameterized prepared statements in the /admin/userbuilderdelete.php endpoint to eliminate SQL injection, conduct code review of all administrator-facing endpoints for similar SQL injection patterns, restrict administrative console access to specific IP addresses or VPN networks using web application firewall rules, enforce strong administrator credential policies (unique passwords, multi-factor authentication, password rotation), and implement SQL query logging and anomaly detection to alert on suspicious administrator-initiated queries. Monitor VulDB (https://vuldb.com/?ctiid.337423) and the vendor website for security updates.

CVE-2025-14898 vulnerability details – vuln.today

Back