Online Ordering System
CVE-2025-8256
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical has been found in code-projects Online Ordering System 1.0. Affected is an unknown function of the file /admin/product.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Unrestricted file upload in code-projects Online Ordering System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /admin/product.php, potentially enabling remote code execution. Despite a critical severity classification, the CVSS 4.0 score of 2.1 reflects low actual impact due to required authentication and limited scope. Publicly available exploit code exists; however, the 0.10% EPSS score (27th percentile) indicates minimal real-world exploitation likelihood, suggesting this is a low-priority vulnerability in practice.
Technical ContextAI
The vulnerability resides in the PHP-based product management endpoint /admin/product.php, which lacks proper input validation and file type restrictions on the image upload parameter. CWE-284 (Improper Access Control / Insufficient Access Control) indicates that the administrative endpoint fails to properly validate or restrict file uploads, allowing authenticated users to bypass intended file type constraints. The underlying issue is insufficient validation of uploaded file content, combined with potential misconfiguration of web server execution permissions that could allow uploaded PHP files to be executed. The attack leverages the administrative panel's file upload mechanism without proper MIME type verification or storage isolation.
RemediationAI
Upgrade to a patched version if available from the vendor; however, no patch version has been identified in available sources. Immediate compensating controls include: (1) implement strict file type validation by checking both MIME type headers and magic bytes (not just file extension) for image uploads; (2) store uploaded files outside the web root or in a directory with execution permissions disabled (disable PHP execution in upload directories via .htaccess or web server configuration); (3) restrict /admin/product.php access to known administrative IP addresses or require multi-factor authentication for admin login; (4) implement a whitelist of allowed file extensions (e.g., .jpg, .png, .gif only) and reject all others; (5) rename uploaded files to remove original extensions and randomize filenames to prevent direct execution. Contact the vendor (code-projects.org) to request security patches. If the product is no longer maintained, consider migrating to an actively supported alternative.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today