Skip to main content

PHP EUVD-2025-21239

| CVE-2025-7508 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-07-13 cna@vuldb.com
PHP SQLi
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH MEDIUM
CVSS changed
Apr 29, 2026 - 01:11 NVD
7.3 (HIGH) 5.5 (MEDIUM)
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21239
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
PoC Detected
Jul 15, 2025 - 17:48 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 00:15 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability, which was classified as critical, has been found in code-projects Modern Bag 1.0. Affected by this issue is some unknown functionality of the file /admin/product-update.php. The manipulation of the argument idProduct leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7508 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/product-update.php endpoint, where the 'idProduct' parameter is improperly validated before database queries. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially exfiltrating sensitive data, modifying product information, or gaining further system access. The vulnerability has public exploit disclosure and active real-world exploitation is likely given the low attack complexity and lack of authentication requirements.

Technical ContextAI

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses SQL injection when user-supplied input is concatenated directly into SQL query strings without parameterization or proper escaping. The affected application uses PHP to handle administrative product updates; the vulnerable code path processes the 'idProduct' parameter from HTTP requests and inserts it into SQL queries against a backend database (likely MySQL/MariaDB). The root cause is the absence of prepared statements, input validation, or output encoding mechanisms. CPE specification would be 'cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*', indicating the e-commerce/shopping cart application Modern Bag version 1.0 is affected.

RemediationAI

{'type': 'Immediate mitigation', 'action': 'If patching is unavailable, restrict network access to /admin/ paths via firewall, WAF rules, or authentication bypass controls. Implement input validation on the idProduct parameter to ensure only numeric values are accepted (e.g., regex: ^[0-9]+$).'} {'type': 'Code-level fix', 'action': "Replace dynamic SQL query construction with prepared statements using parameterized queries (e.g., PHP PDO with placeholders or mysqli prepared statements). Example: Use $stmt = $pdo->prepare('UPDATE products SET ... WHERE id = ?'); $stmt->execute([$idProduct]); instead of string concatenation."} {'type': 'Patch availability', 'action': 'Contact code-projects for a patched version >1.0. If no official patch exists, consider forking the project or migrating to a maintained e-commerce platform (e.g., WooCommerce, Shopify) with active security support.'} {'type': 'Detection & response', 'action': 'Audit database logs for suspicious SQL queries containing UNION, SELECT, OR 1=1, etc. within product update requests. Deploy WAF signatures to block common SQL injection payloads targeting admin endpoints.'} {'type': 'Post-exploitation', 'action': 'If compromise is suspected, rotate database credentials, audit user accounts created post-incident, review product/price modifications, and restore from clean backups.'}

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2025-21239 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy