EUVD-2025-21023Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Mobile Shop 1.0 and classified as critical. This issue affects some unknown processing of the file /LoginAsAdmin.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7409 is a critical SQL injection vulnerability in code-projects Mobile Shop 1.0 affecting the /LoginAsAdmin.php endpoint, where the 'email' parameter is improperly sanitized, allowing unauthenticated remote attackers to inject arbitrary SQL commands. The vulnerability has been publicly disclosed with exploits available, making it actively exploitable in the wild. With a CVSS score of 7.3 and network-accessible attack vector, this poses significant risk to confidentiality, integrity, and availability of affected systems.
Technical ContextAI
The vulnerability exists in the /LoginAsAdmin.php file of code-projects Mobile Shop 1.0, a PHP-based e-commerce application. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as SQL injection through inadequate input validation/parameterization on the 'email' parameter in admin login processing. The application fails to use prepared statements or proper escaping mechanisms when constructing SQL queries, allowing attackers to inject malicious SQL syntax directly into database queries. This is a classic authentication bypass and data exfiltration vector in PHP applications lacking parameterized queries (mysqli prepared statements, PDO prepared statements, or ORM frameworks).
RemediationAI
Immediate actions: (1) Upgrade to patched version if available from code-projects (vendor advisory/patch status unknown from provided data—contact vendor directly); (2) If no patch exists, implement Web Application Firewall (WAF) rules to block SQL injection payloads in email parameter (detect patterns: UNION, OR 1=1, --, ;, xp_, etc.); (3) Disable or restrict access to /LoginAsAdmin.php via IP whitelisting or authentication gateway; (4) Implement input validation: whitelist email format validation (RFC 5322 compliant regex), reject non-alphanumeric/special-char patterns before query; (5) Code-level fix (if patching source): convert all SQL queries to parameterized statements using prepared statements (mysqli_prepare + mysqli_bind_param or PDO prepared statements); (6) Enable SQL error suppression to prevent information disclosure; (7) Conduct security audit of other endpoints for similar SQL injection vectors; (8) Monitor database logs for suspicious query patterns. Long-term: Consider sunsetting Mobile Shop 1.0 in favor of actively maintained e-commerce platforms.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today