EUVD-2025-21023CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Tags
Description
A vulnerability was found in code-projects Mobile Shop 1.0 and classified as critical. This issue affects some unknown processing of the file /LoginAsAdmin.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-7409 is a critical SQL injection vulnerability in code-projects Mobile Shop 1.0 affecting the /LoginAsAdmin.php endpoint, where the 'email' parameter is improperly sanitized, allowing unauthenticated remote attackers to inject arbitrary SQL commands. The vulnerability has been publicly disclosed with exploits available, making it actively exploitable in the wild. With a CVSS score of 7.3 and network-accessible attack vector, this poses significant risk to confidentiality, integrity, and availability of affected systems.
Technical Context
The vulnerability exists in the /LoginAsAdmin.php file of code-projects Mobile Shop 1.0, a PHP-based e-commerce application. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as SQL injection through inadequate input validation/parameterization on the 'email' parameter in admin login processing. The application fails to use prepared statements or proper escaping mechanisms when constructing SQL queries, allowing attackers to inject malicious SQL syntax directly into database queries. This is a classic authentication bypass and data exfiltration vector in PHP applications lacking parameterized queries (mysqli prepared statements, PDO prepared statements, or ORM frameworks).
Affected Products
code-projects Mobile Shop version 1.0 specifically in the /LoginAsAdmin.php component. CPE data would typically be: cpe:2.3:a:code-projects:mobile_shop:1.0:*:*:*:*:*:*:*. Affected configurations include all installations of Mobile Shop 1.0 with default or unpatched deployment. The vulnerability affects the authentication system module, making any instance accessible via HTTP/HTTPS at risk. No indication of patched versions (e.g., 1.1+) is provided in available intelligence, suggesting the product may be abandoned or patch status is unknown.
Remediation
Immediate actions: (1) Upgrade to patched version if available from code-projects (vendor advisory/patch status unknown from provided data—contact vendor directly); (2) If no patch exists, implement Web Application Firewall (WAF) rules to block SQL injection payloads in email parameter (detect patterns: UNION, OR 1=1, --, ;, xp_, etc.); (3) Disable or restrict access to /LoginAsAdmin.php via IP whitelisting or authentication gateway; (4) Implement input validation: whitelist email format validation (RFC 5322 compliant regex), reject non-alphanumeric/special-char patterns before query; (5) Code-level fix (if patching source): convert all SQL queries to parameterized statements using prepared statements (mysqli_prepare + mysqli_bind_param or PDO prepared statements); (6) Enable SQL error suppression to prevent information disclosure; (7) Conduct security audit of other endpoints for similar SQL injection vectors; (8) Monitor database logs for suspicious query patterns. Long-term: Consider sunsetting Mobile Shop 1.0 in favor of actively maintained e-commerce platforms.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today