EUVD-2025-28722

| CVE-2025-6344 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28722
PoC Detected
Jun 26, 2025 - 15:38 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 14:15 nvd
HIGH 7.3

Tags

PHP SQLi Online Shoe Store

Description

A vulnerability has been found in code-projects Online Shoe Store 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /contactus.php. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6344 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus.php file's email parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and exploit code availability increase the real-world threat level significantly.

Technical Context

The vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) flaw occurring in the /contactus.php endpoint. The email parameter is not properly sanitized or parameterized before being incorporated into SQL queries, allowing attackers to inject malicious SQL syntax. This affects code-projects Online Shoe Store 1.0 (CPE likely: cpe:2.3:a:code-projects:online_shoe_store:1.0:*:*:*:*:*:*:*). The vulnerability stems from a lack of input validation and the absence of prepared statements or parameterized queries in the contact form processing logic.

Affected Products

code-projects Online Shoe Store version 1.0 (all installations). CPE identifier: cpe:2.3:a:code-projects:online_shoe_store:1.0:*:*:*:*:*:*:*. The vulnerability affects the default /contactus.php contact form endpoint. No patch availability information is provided in the CVE description; affected organizations should contact code-projects for security updates or evaluate alternative solutions if patches are unavailable.

Remediation

Immediate actions: (1) Apply the latest security patch from code-projects if available; (2) If patches are unavailable, implement a Web Application Firewall (WAF) rule blocking SQL injection patterns in the email parameter; (3) Disable or restrict access to /contactus.php until patched; (4) Implement input validation using strict whitelist validation for email format (RFC 5322 compliance); (5) Refactor the contact form backend to use parameterized queries or prepared statements with bound parameters; (6) Conduct a security audit of other user-input handling in the application. Contact code-projects vendor advisories for official guidance and patch release timelines.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-28722 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy