Which versions of PHP are affected by CVE-2025-6315?

A critical SQL injection vulnerability in Online Shoe Store 1.0 allows remote attackers to compromise customer data and system integrity without authentication.

Is there a public PoC exploit available for CVE-2025-6315?

Yes, a public proof-of-concept exploit is available for CVE-2025-6315. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6315?

Within 24 hours: Immediately take the vulnerable /cart2.php endpoint offline or restrict access via firewall to essential users only; scan logs for exploitation attempts. Within 7 days: Deploy WAF rules to block SQL injection patterns in the ID parameter; implement database query parameterization fixes if in-house development is possible; notify customers if any evidence of compromise exists. Within 30 days: Upgrade or replace Online Shoe Store with a patched version when available; conduct full security assessment of the application; implement web application firewall baseline rules for production.

PHP CVE-2025-6315

Q: What is the CVSS score of CVE-2025-6315?

CVE-2025-6315 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-28716 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-20 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-28716

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jun 26, 2025 - 21:10 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 07:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability was found in code-projects Online Shoe Store 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /cart2.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6315 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /cart2.php endpoint via an unsanitized ID parameter. An unauthenticated remote attacker can exploit this over the network with low complexity to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. A public proof-of-concept has been disclosed and the vulnerability may be actively exploited.

Technical ContextAI

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as SQL injection in the /cart2.php file. The Online Shoe Store application fails to properly sanitize or parameterize the ID parameter before incorporating it into SQL queries. This is a classic web application vulnerability where user-controlled input reaches SQL execution contexts without adequate escaping, prepared statements, or input validation. The affected product is code-projects Online Shoe Store 1.0, likely built with PHP (inferred from .php file extension) without modern ORM frameworks or parameterized query patterns.

RemediationAI

Immediate actions: (1) Apply input validation to the ID parameter—enforce expected data type (integer if numeric) and whitelist acceptable values; (2) Implement parameterized queries or prepared statements using PHP's mysqli or PDO with bound parameters to prevent SQL injection regardless of input; (3) Apply principle of least privilege to database credentials used by cart2.php; (4) Enable SQL error suppression in production to prevent information leakage. Medium-term: Update to a patched version of Online Shoe Store once available from code-projects. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the ID parameter. Conduct a full security audit of other PHP files for similar injection vulnerabilities. Legacy mitigation (if upgrade unavailable): Use database-level restrictions and consider isolating the application or requiring VPN access.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-6315 vulnerability details – vuln.today

Back

PHP CVE-2025-6315

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code