EUVD-2025-28717Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Online Shoe Store 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. The manipulation of the argument qty leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6316 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_running.php file where the 'qty' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score is 7.3 (high), the attack vector is network-based with low complexity, indicating active exploitation is feasible.
Technical ContextAI
This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), specifically SQL injection. The Online Shoe Store application fails to properly validate or parameterize SQL queries when processing the 'qty' (quantity) parameter in the administrative interface at /admin/admin_running.php. Rather than using prepared statements or parameterized queries, the application concatenates user input directly into SQL commands. The affected component appears to handle inventory or order quantity management, a common administrative function in e-commerce applications. This is a classic input validation failure where user-supplied data is treated as executable SQL code without proper escaping or type checking.
RemediationAI
Immediate actions: (1) Update to a patched version of Online Shoe Store if available from code-projects; (2) Implement parameterized queries/prepared statements for all SQL operations, particularly in /admin/admin_running.php where the 'qty' parameter is processed; (3) Apply input validation to the 'qty' parameter ensuring it accepts only numeric values; (4) Use Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the qty parameter (signatures: SQL keywords like UNION, SELECT, OR '1'='1, etc.); (5) Restrict administrative interface access to trusted IP addresses and implement strong authentication mechanisms; (6) Conduct code review of all user input handling in administrative functions. Given the public POC availability, patching should be prioritized within 24-48 hours for exposed instances.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today