EUVD-2025-21214Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability, which was classified as critical, was found in code-projects Modern Bag 1.0. This affects an unknown part of the file /product-detail.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7467 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0 affecting the /product-detail.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate-to-high real-world impact with low attack complexity and no authentication requirements.
Technical ContextAI
This vulnerability exploits improper input validation in PHP-based e-commerce software (code-projects Modern Bag 1.0), classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component—'Injection'). The root cause is insufficient parameterization or sanitization of the ID query parameter in /product-detail.php before it is incorporated into SQL queries, allowing attackers to inject malicious SQL syntax. The affected software is an e-commerce shopping bag/cart management system written in PHP, typically deployed on LAMP stacks (Linux, Apache, MySQL, PHP). The vulnerability is a classic second-order or first-order SQL injection flaw where user-controlled input directly influences SQL construction without prepared statements or proper escaping.
RemediationAI
Immediate actions: (1) Apply the latest security patch from code-projects if available—check vendor website or security advisory page for Modern Bag > 1.0 release notes. (2) If no patch is available, implement input validation and parameterized queries: Replace all direct SQL concatenation in /product-detail.php with prepared statements (using mysqli prepared statements or PDO with bound parameters) for the ID parameter. (3) Short-term workaround: Implement a Web Application Firewall (WAF) rule to block SQL injection patterns in the ID parameter (e.g., detect quotes, UNION, OR 1=1, etc.). (4) Restrict database user privileges to read-only where possible. (5) Enable SQL query logging and monitor for suspicious patterns. (6) Consider disabling the /product-detail.php endpoint until patched if it is not business-critical. Upgrade to a patched version as soon as released by code-projects.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today