Which versions of PHP are affected by CVE-2025-6472?

A SQL injection vulnerability in the Online Bidding System's product display functionality allows unauthenticated attackers to remotely compromise the database.

Is there a public PoC exploit available for CVE-2025-6472?

Yes, a public proof-of-concept exploit is available for CVE-2025-6472. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6472?

Within 24 hours: Assess whether this system is internet-exposed and isolate it if possible; audit access logs for exploitation attempts. Within 7 days: Deploy WAF rules to block SQL injection patterns in the ID parameter of /showprod.php; implement input validation and parameterized queries at the application layer if accessible. Within 30 days: Contact the vendor for patch availability; evaluate alternative bidding systems if patches remain unavailable; conduct a forensic audit to confirm no prior compromise.

PHP CVE-2025-6472

Q: What is the CVSS score of CVE-2025-6472?

CVE-2025-6472 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-18840 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-22 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18840

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

PoC Detected

Jun 27, 2025 - 16:56 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 10:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability, which was classified as critical, has been found in code-projects Online Bidding System 1.0. Affected by this issue is some unknown functionality of the file /showprod.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6472 is a critical SQL injection vulnerability in code-projects Online Bidding System 1.0 affecting the /showprod.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, creating immediate risk for exposed instances.

Technical ContextAI

The vulnerability stems from improper input validation on the ID parameter in /showprod.php, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The root cause is insufficient parameterization or escaping of user-supplied input before incorporation into SQL queries. The Online Bidding System, a PHP-based e-commerce application, directly concatenates user input into SQL statements without proper prepared statements or parameterized queries. This allows attackers to inject arbitrary SQL syntax through the ID parameter, bypassing authentication mechanisms entirely (PR:N) and requiring no user interaction (UI:N).

RemediationAI

Immediate actions: (1) Disable or restrict access to /showprod.php via web application firewall rules if patching cannot be performed immediately; (2) Implement input validation on the ID parameter to accept only numeric values using whitelist patterns; (3) Upgrade to the latest patched version of Online Bidding System (vendor should provide patch details—check code-projects official repository/advisory); (4) Implement parameterized queries or prepared statements throughout the application; (5) Apply principle of least privilege to database user credentials used by the application. Long-term: migrate to actively maintained e-commerce platforms with security-by-design principles.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-6472 vulnerability details – vuln.today

Back

PHP CVE-2025-6472

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code