CVE-2025-6343

| EUVD-2025-18752 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18752
PoC Detected
Jun 26, 2025 - 15:41 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 14:15 nvd
HIGH 7.3

Tags

PHP SQLi Online Shoe Store

Description

A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_product.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6343 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_product.php file where the 'pid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the shoe store's database. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.

Technical Context

The vulnerability exists in a PHP-based e-commerce application (code-projects Online Shoe Store 1.0) and represents a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') manifestation as SQL injection. The affected endpoint /admin/admin_product.php accepts user-supplied input via the 'pid' (product ID) parameter without proper input validation or parameterized query preparation. The root cause is the failure to use prepared statements or adequate input sanitization before constructing and executing SQL queries, allowing attackers to break out of intended SQL syntax and inject malicious query logic. This is particularly critical in administrative interfaces where database access is unrestricted.

Affected Products

code-projects Online Shoe Store version 1.0 is the specifically identified affected product. The vulnerable component is /admin/admin_product.php with the 'pid' parameter. CPE string would be: cpe:2.3:a:code-projects:online_shoe_store:1.0:*:*:*:*:*:*:* (standard vendor/product/version encoding for this application). No patch version or vendor advisory link is referenced in available data; the vendor's update or mitigation status is unknown.

Remediation

Immediate remediation steps: (1) Apply input validation to the 'pid' parameter using whitelist-based validation (e.g., ensure it matches expected integer format); (2) Implement parameterized queries or prepared statements for all database interactions in /admin/admin_product.php, using placeholders instead of string concatenation; (3) Enforce principle of least privilege on database user accounts used by the application; (4) If no vendor patch is available, consider upgrading to a patched version if released, or implementing Web Application Firewall (WAF) rules to detect and block SQL injection patterns in 'pid' parameter; (5) Disable or restrict administrative access to /admin/ endpoints via network segmentation or authentication bypass prevention. No specific vendor patch version is referenced; contact code-projects directly for patch availability or consider code review/remediation of the vulnerable PHP file.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6343 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy