EUVD-2025-21241CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Tags
Description
A vulnerability was found in code-projects Modern Bag 1.0. It has been classified as critical. Affected is an unknown function of the file /contact-back.php. The manipulation of the argument contact-name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-7512 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, affecting the /contact-back.php file's contact-name parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation potential with a CVSS score of 7.3.
Technical Context
This vulnerability represents a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output ('Injection')) occurring in the contact form backend processing logic. The /contact-back.php endpoint fails to properly sanitize or parameterize the 'contact-name' input parameter before incorporating it into SQL queries. The affected product is code-projects Modern Bag 1.0, a PHP-based web application. The root cause stems from unsanitized user input being directly concatenated into SQL statements, bypassing standard query parameterization and prepared statement protections. Modern web frameworks typically prevent this through parameterized queries (prepared statements), but this legacy application appears to construct queries through string concatenation.
Affected Products
[{'vendor': 'code-projects', 'product': 'Modern Bag', 'version': '1.0', 'affected_component': '/contact-back.php', 'vulnerable_parameter': 'contact-name', 'cpe': 'cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*'}]
Remediation
[{'type': 'patch', 'description': "Upgrade to a patched version of Modern Bag beyond 1.0 if available from code-projects. Check the vendor's official repository or website for security updates.", 'priority': 'critical'}, {'type': 'code_fix', 'description': 'Implement parameterized queries/prepared statements in /contact-back.php. Replace all SQL concatenation with parameterized query syntax: use placeholders (?) or named parameters (:param) with bound variables.', 'example': 'Replace: "SELECT * FROM contacts WHERE name = \'" . $_POST[\'contact-name\'] . "\'" with prepared statement using mysqli_stmt_bind_param() or PDO prepared statements.'}, {'type': 'input_validation', 'description': 'Implement strict input validation: whitelist alphanumeric characters and common name punctuation; enforce maximum length constraints; reject special SQL characters if parameterization is temporarily unavailable.', 'priority': 'high'}, {'type': 'waf_mitigation', 'description': 'Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the contact-name parameter pending patch deployment. Monitor for attack patterns like quotes, semicolons, SQL keywords (UNION, SELECT, etc.).', 'priority': 'high'}, {'type': 'access_control', 'description': 'Restrict network access to /contact-back.php using firewall rules or reverse proxy authentication if the contact form is not essential.', 'priority': 'medium'}, {'type': 'detection', 'description': 'Enable SQL query logging and database activity monitoring to detect exploitation attempts. Search logs for unusual SQL patterns in contact form submissions.', 'priority': 'medium'}]
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today