EUVD-2025-21353Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Electricity Billing System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/change_password.php. The manipulation of the argument new_password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7610 is a critical SQL injection vulnerability in code-projects Electricity Billing System 1.0 affecting the password change functionality at /user/change_password.php. An unauthenticated remote attacker can inject arbitrary SQL commands through the new_password parameter to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation highly probable.
Technical ContextAI
This vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The root cause is insufficient input validation and parameterized query usage in the password change function. The new_password parameter is concatenated directly into SQL queries without proper escaping or prepared statement usage. The affected application is code-projects Electricity Billing System, a PHP-based billing management solution commonly deployed in small-to-medium enterprises. The vulnerable file /user/change_password.php processes user input without sanitization, allowing attackers to break out of the intended SQL context and execute arbitrary commands against the backend database (typically MySQL/MariaDB).
RemediationAI
Immediate actions: (1) Apply input validation to reject SQL metacharacters in password fields or implement strict allowlists (alphanumeric + symbols only), (2) Use parameterized queries/prepared statements with bound parameters in the password update query, (3) Implement WAF rules to detect and block SQL injection payloads in the new_password parameter. Long-term: Update to a patched version when released by code-projects (monitor their GitHub or advisory channels for v1.1+). Workaround: Temporarily disable the /user/change_password.php endpoint or restrict access via IP whitelisting/authentication middleware until patching is feasible. Database-level: Implement principle-of-least-privilege on the database user account used by the application (remove DROP, ALTER, FILE privileges).
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today