EUVD-2025-28721

| CVE-2025-6342 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28721
PoC Detected
Jun 26, 2025 - 15:43 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 14:15 nvd
HIGH 7.3

Tags

PHP SQLi Online Shoe Store

Description

A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0. This issue affects some unknown processing of the file /admin/admin_football.php. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6342 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0, specifically in the /admin/admin_football.php file where the 'pid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.

Technical Context

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as SQL injection in the web application's administrative interface. The Online Shoe Store application fails to properly validate or parameterize user input in the 'pid' (product ID) parameter passed to /admin/admin_football.php, allowing attackers to inject malicious SQL syntax. The root cause is improper input validation and lack of prepared statement usage, typical of legacy PHP applications. The affected component appears to be a legacy administrative module handling football-related product data, suggesting inadequate separation of concerns and aging codebase practices.

Affected Products

code-projects Online Shoe Store version 1.0 (CPE likely: cpe:2.3:a:code-projects:online_shoe_store:1.0:*:*:*:*:*:*:*). The specific vulnerable file is /admin/admin_football.php. No patched version information is available in the provided data, suggesting this may be abandoned or unmaintained software. The vendor 'code-projects' appears to be a small/independent developer with limited security support infrastructure.

Remediation

Immediate actions: (1) Implement input validation on the 'pid' parameter using whitelist-based approach (accept only numeric values); (2) Use parameterized queries/prepared statements for all SQL operations in admin_football.php; (3) Apply principle of least privilege to database user account for the application (restrict to necessary tables/operations only). Long-term: (1) Upgrade to a maintained e-commerce platform if available from vendor; (2) If code-projects provides patches, apply immediately; (3) If no patches are available, consider migrating to maintained alternatives (WooCommerce, Magento, etc.). Temporary mitigation: (1) Restrict access to /admin/ paths via WAF rules or IP whitelisting; (2) Disable the admin_football.php functionality if not actively used; (3) Monitor database queries for SQL injection patterns.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-28721 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy