EUVD-2025-18713Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability has been found in code-projects Online Shoe Store 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /contactus1.php. The manipulation of the argument Message leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6303 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus1.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.
Technical ContextAI
This vulnerability represents a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) where user-supplied input from the 'Message' parameter in /contactus1.php is not properly sanitized before being incorporated into SQL queries. The affected product is code-projects Online Shoe Store 1.0, an e-commerce application likely built with PHP and a relational database backend (MySQL/MariaDB/PostgreSQL). The root cause is insufficient input validation and lack of parameterized queries or prepared statements. The attacker can manipulate the Message POST/GET parameter to break out of the intended SQL context and inject malicious SQL commands. CWE-74 categorizes this as improper neutralization of special elements, indicating the application fails to escape or validate metacharacters that have special meaning in SQL syntax.
RemediationAI
Immediate actions: (1) Disable or restrict access to /contactus1.php if the contact form is non-critical; (2) Implement Web Application Firewall (WAF) rules to block SQL injection payloads in the Message parameter (pattern matching for SQL keywords: UNION, SELECT, INSERT, DROP, etc.); (3) Apply rate limiting and IP-based restrictions to the contact endpoint. Medium-term remediation: (1) Contact code-projects for security updates or patch availability—if no patches are forthcoming, plan application replacement; (2) Implement input validation: use allowlists for Message content, restrict to alphanumeric characters and basic punctuation, enforce maximum length limits; (3) Refactor /contactus1.php to use parameterized SQL queries (prepared statements) with bound parameters instead of string concatenation; (4) Apply principle of least privilege to database credentials used by the web application. Long-term: Migrate to a maintained e-commerce platform with modern security practices.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today