How to fix CVE-2025-6160?

Within 24 hours: Identify all systems running SourceCodester 1.0 and isolate them from production networks if possible; enable enhanced logging on affected systems. Within 7 days: Deploy WAF rules to block SQL injection patterns in user_id parameter; implement network segmentation to restrict access to /user_customer_create_order.php; audit recent database access logs for signs of exploitation. Within 30 days: Evaluate migration to patched version or alternative solution; contact vendor for patch timeline; conduct full database integrity assessment and customer notification if breach confirmed.

Is PHP affected by CVE-2025-6160?

A critical SQL injection vulnerability in SourceCodester Client Database Management System 1.0 allows remote attackers to compromise database integrity and access sensitive customer data.

CVE-2025-6160

EUVD-2025-18478 HIGH

2025-06-17 [email protected]

PHP SQLi Downloading Client Database Management System

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18478

PoC Detected

Jun 26, 2025 - 16:15 vuln.today

Public exploit code

CVE Published

Jun 17, 2025 - 05:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability, which was classified as critical, has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /user_customer_create_order.php. The manipulation of the argument user_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

A critical SQL injection vulnerability exists in SourceCodester Client Database Management System version 1.0 affecting the /user_customer_create_order.php file, where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and proof-of-concept availability elevate exploitation risk, though the CVSS 7.3 rating indicates moderate real-world impact rather than critical severity.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output ('Injection')) in a PHP-based web application. The /user_customer_create_order.php endpoint fails to properly validate or parameterize the user_id input parameter before incorporating it into SQL queries. SourceCodester Client Database Management System 1.0 is a PHP-based customer relationship and order management application typically running on Apache/Nginx with MySQL/MariaDB backends. The root cause is the absence of prepared statements or input validation, allowing attackers to break out of intended SQL context and execute arbitrary queries. This affects CPE entry: cpe:2.3:a:sourcecodester:client_database_management_system:1.0:*:*:*:*:*:*:*

RemediationAI

Contact SourceCodester directly or check their official website/GitHub for patched versions beyond 1.0. As a third-party open-source project, patches may be available in development branches.

CVE-2025-6160 vulnerability details – vuln.today

Back