EUVD-2025-21353

| CVE-2025-7610 HIGH
2025-07-14 [email protected]
PHP SQLi Electricity Billing System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21353
PoC Detected
Sep 29, 2025 - 21:16 vuln.today
Public exploit code
CVE Published
Jul 14, 2025 - 14:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in code-projects Electricity Billing System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/change_password.php. The manipulation of the argument new_password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7610 is a critical SQL injection vulnerability in code-projects Electricity Billing System 1.0 affecting the password change functionality at /user/change_password.php. An unauthenticated remote attacker can inject arbitrary SQL commands through the new_password parameter to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation highly probable.

Technical ContextAI

This vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The root cause is insufficient input validation and parameterized query usage in the password change function. The new_password parameter is concatenated directly into SQL queries without proper escaping or prepared statement usage. The affected application is code-projects Electricity Billing System, a PHP-based billing management solution commonly deployed in small-to-medium enterprises. The vulnerable file /user/change_password.php processes user input without sanitization, allowing attackers to break out of the intended SQL context and execute arbitrary commands against the backend database (typically MySQL/MariaDB).

RemediationAI

Immediate actions: (1) Apply input validation to reject SQL metacharacters in password fields or implement strict allowlists (alphanumeric + symbols only), (2) Use parameterized queries/prepared statements with bound parameters in the password update query, (3) Implement WAF rules to detect and block SQL injection payloads in the new_password parameter. Long-term: Update to a patched version when released by code-projects (monitor their GitHub or advisory channels for v1.1+). Workaround: Temporarily disable the /user/change_password.php endpoint or restrict access via IP whitelisting/authentication middleware until patching is feasible. Database-level: Implement principle-of-least-privilege on the database user account used by the application (remove DROP, ALTER, FILE privileges).

Share

EUVD-2025-21353 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy