CVE-2025-7459

| EUVD-2025-21187 HIGH
2025-07-11 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:18 euvd
EUVD-2025-21187
PoC Detected
Jul 16, 2025 - 14:58 vuln.today
Public exploit code
CVE Published
Jul 11, 2025 - 21:15 nvd
HIGH 7.3

Tags

PHP SQLi Mobile Shop

Description

A vulnerability classified as critical was found in code-projects Mobile Shop 1.0. This vulnerability affects unknown code of the file /EditMobile.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7459 is a SQL injection vulnerability in code-projects Mobile Shop version 1.0, specifically in the /EditMobile.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available, creating immediate risk for deployed instances. With a CVSS score of 7.3 and network-accessible attack vector, this poses significant risk to confidentiality, integrity, and availability of affected databases.

Technical Context

The vulnerability exists in the /EditMobile.php file of Mobile Shop 1.0, where user-supplied input via the ID parameter is improperly sanitized before being incorporated into SQL queries. This represents a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') vulnerability. The root cause is likely insufficient input validation/parameterization of the ID parameter, allowing attackers to inject malicious SQL syntax. The affected component is a PHP-based mobile shopping application with direct database interaction in the edit functionality, suggesting inadequate use of prepared statements or parameterized queries.

Affected Products

Product: code-projects Mobile Shop; Affected Version: 1.0; Vulnerable Component: /EditMobile.php (ID parameter); Attack Vector: Remote, No Authentication Required. No specific CPE string was provided in the source data, but the affected product would likely map to CPE notation: cpe:2.3:a:code-projects:mobile_shop:1.0:*:*:*:*:*:*:*. No vendor advisory links were provided in the references data. Organizations running any deployment of Mobile Shop 1.0 are affected regardless of configuration.

Remediation

Immediate actions: (1) Apply a security patch from code-projects if available - verify the vendor's official advisory/patch repository for Mobile Shop 1.0.x hotfixes; (2) If no patch exists, implement input validation by enforcing strict parameterized/prepared SQL queries for all ID parameter handling in /EditMobile.php, ensuring the ID is cast to an integer type before SQL execution; (3) Temporary mitigation: restrict access to /EditMobile.php via WAF rules or network segmentation until patches are applied; (4) Implement database-level least-privilege principles to limit SQL injection damage scope. Long-term: upgrade to a newer version of Mobile Shop if available, or migrate to actively maintained alternatives. Conduct code review of all PHP files handling user input to identify similar injection vulnerabilities.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-7459 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy