EUVD-2025-18718Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Online Shoe Store 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /cart.php. The manipulation of the argument qty[] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6304 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /cart.php file's qty[] parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept exploits available, presenting immediate exploitation risk to unpatched instances of this e-commerce application.
Technical ContextAI
The vulnerability exists in the cart.php file of the Online Shoe Store application, where user-supplied input from the qty[] (quantity array) parameter is improperly sanitized before being incorporated into SQL queries. This represents a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') vulnerability, specifically SQL injection. The lack of parameterized queries or input validation on array-based parameters allows attackers to inject malicious SQL syntax through the quantity field, potentially bypassing authentication and authorization controls. The affected product is code-projects Online Shoe Store version 1.0, a PHP-based e-commerce application that appears to use a traditional relational database backend without proper prepared statement implementation.
RemediationAI
Immediate actions: (1) Apply input validation to qty[] parameters—use whitelist approach accepting only numeric values, rejecting special characters; (2) Implement parameterized queries/prepared statements for all database interactions in cart.php, replacing string concatenation with bound parameters; (3) If patches are unavailable from vendor (code-projects appears to lack active support), implement Web Application Firewall (WAF) rules blocking SQL injection patterns in cart requests; (4) Disable or isolate the Online Shoe Store application if not actively maintained and migrate to a supported e-commerce platform (WooCommerce, Magento, Shopify, etc.); (5) Conduct immediate database audit for unauthorized access or data exfiltration via this vector; (6) Apply principle of least privilege to database user account used by cart.php (remove administrative rights). Long-term: Migrate away from unsupported code-projects application to a actively maintained e-commerce solution.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today