Is there a public PoC exploit available for CVE-2025-7756?

Yes, a public proof-of-concept exploit is available for CVE-2025-7756. Prioritise patching immediately. EPSS: 0.1%.

code-projects E-Commerce Site CVE-2025-7756

Q: What is the CVSS score of CVE-2025-7756?

CVE-2025-7756 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Cross-Site Request Forgery (CSRF) (CWE-352)

2025-07-17 cna@vuldb.com

CSRF E Commerce Site

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:20 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic has been found in code-projects E-Commerce Site 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Cross-site request forgery (CSRF) vulnerability in code-projects E-Commerce Site version 1.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users via a crafted request. The vulnerability requires user interaction (e.g., clicking a malicious link) and affects the integrity of user sessions. Publicly available exploit code exists, though the EPSS score of 0.06% indicates low real-world exploitation probability relative to the attack surface.

Technical ContextAI

This vulnerability stems from insufficient CSRF token validation or lack of same-origin policy enforcement in the e-commerce application (CWE-352: Cross-Site Request Forgery). The affected product is code-projects E-Commerce Site version 1.0 (CPE: cpe:2.3:a:fabian:e-commerce_site:1.0:*:*:*:*:*:*:*), which fails to implement proper state-changing request protection mechanisms. CSRF vulnerabilities typically allow attackers to craft requests that exploit the trust a web application places in a user's browser session, bypassing authentication checks by leveraging the user's existing authenticated state.

RemediationAI

No vendor-released patch identified at time of analysis. Implement the following compensating controls: (1) Deploy CSRF tokens (e.g., synchronizer token pattern or double-submit cookies) on all state-changing endpoints (POST, PUT, DELETE requests), validating token presence and validity before processing requests; this mitigates the attack by ensuring requests originate from the legitimate application. (2) Implement SameSite cookie attributes (SameSite=Strict or SameSite=Lax) on session cookies to prevent automatic credential transmission on cross-origin requests; this reduces exploitation surface at the HTTP layer. (3) Verify Origin and Referer headers for state-changing requests, rejecting requests from unexpected origins, though note this can be bypassed in certain browser configurations. (4) Apply Content Security Policy (CSP) headers to restrict unauthorized script execution and reduce attack complexity. Organizations should contact code-projects for patch availability or upgrade to a patched version if released. Monitor https://code-projects.org/ and https://vuldb.com/ for security advisories.

CVE-2025-7756 vulnerability details – vuln.today

Back