CVE-2025-7610

| EUVD-2025-21353 HIGH
2025-07-14 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21353
PoC Detected
Sep 29, 2025 - 21:16 vuln.today
Public exploit code
CVE Published
Jul 14, 2025 - 14:15 nvd
HIGH 7.3

Tags

PHP SQLi Electricity Billing System

Description

A vulnerability was found in code-projects Electricity Billing System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/change_password.php. The manipulation of the argument new_password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7610 is a critical SQL injection vulnerability in code-projects Electricity Billing System 1.0 affecting the password change functionality at /user/change_password.php. An unauthenticated remote attacker can inject arbitrary SQL commands through the new_password parameter to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation highly probable.

Technical Context

This vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The root cause is insufficient input validation and parameterized query usage in the password change function. The new_password parameter is concatenated directly into SQL queries without proper escaping or prepared statement usage. The affected application is code-projects Electricity Billing System, a PHP-based billing management solution commonly deployed in small-to-medium enterprises. The vulnerable file /user/change_password.php processes user input without sanitization, allowing attackers to break out of the intended SQL context and execute arbitrary commands against the backend database (typically MySQL/MariaDB).

Affected Products

code-projects Electricity Billing System version 1.0 and likely earlier/concurrent versions. Typical deployment: Linux/Apache/PHP/MySQL stack. CPE string would be: cpe:2.3:a:code-projects:electricity_billing_system:1.0:*:*:*:*:*:*:*. The /user/change_password.php file is the direct attack vector. Systems running this billing software in production environments—particularly in utility companies, municipal services, or managed service providers handling customer billing—are at risk.

Remediation

Immediate actions: (1) Apply input validation to reject SQL metacharacters in password fields or implement strict allowlists (alphanumeric + symbols only), (2) Use parameterized queries/prepared statements with bound parameters in the password update query, (3) Implement WAF rules to detect and block SQL injection payloads in the new_password parameter. Long-term: Update to a patched version when released by code-projects (monitor their GitHub or advisory channels for v1.1+). Workaround: Temporarily disable the /user/change_password.php endpoint or restrict access via IP whitelisting/authentication middleware until patching is feasible. Database-level: Implement principle-of-least-privilege on the database user account used by the application (remove DROP, ALTER, FILE privileges).

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Share

CVE-2025-7610 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy