Online Shoe Store
Monthly
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in /admin/admin_product.php, affecting other users who view the product data. The vulnerability requires high-privilege admin access and user interaction (clicking/viewing), limiting immediate risk, but publicly available exploit code exists and the issue has been disclosed. With a CVSS score of 2.4 and exploitation probability marked as proof-of-concept (E:P), this is a low-severity issue primarily affecting self-hosted instances of the affected software.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated attackers with high privileges to inject malicious scripts via the product_name parameter in /admin/admin_football.php, requiring user interaction to execute. The vulnerability has publicly available exploit code and a CVSS score of 2.4, reflecting the requirement for high-privilege authentication and user interaction, though the low EPSS probability and lack of CISA KEV listing suggest limited real-world exploitation despite POC availability.
Cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the product_name parameter in /admin/admin_running.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, though it carries a low CVSS score of 2.4 due to restricted attack vector (high privileges required, user interaction needed) and limited impact (integrity only).
CVE-2025-6354 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the customer signup functionality (/function/customer_signup.php). An unauthenticated remote attacker can manipulate the email parameter to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability and demonstrates active exploitation potential.
CVE-2025-6344 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus.php file's email parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and exploit code availability increase the real-world threat level significantly.
CVE-2025-6343 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_product.php file where the 'pid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the shoe store's database. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.
CVE-2025-6342 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0, specifically in the /admin/admin_football.php file where the 'pid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.
CVE-2025-6317 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /admin/confirm.php file's ID parameter. An unauthenticated remote attacker can execute arbitrary SQL commands with low complexity, potentially leading to unauthorized data access, modification, or service disruption. Public exploit disclosure and active attack feasibility significantly elevate real-world risk despite the moderate CVSS score of 7.3.
CVE-2025-6316 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_running.php file where the 'qty' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score is 7.3 (high), the attack vector is network-based with low complexity, indicating active exploitation is feasible.
CVE-2025-6315 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /cart2.php endpoint via an unsanitized ID parameter. An unauthenticated remote attacker can exploit this over the network with low complexity to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. A public proof-of-concept has been disclosed and the vulnerability may be actively exploited.
CVE-2025-6307 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /function/edit_customer.php file, where the 'firstname' parameter is insufficiently sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept details available, and while rated 7.3 (High) in CVSS v3.1, the network-accessible attack vector combined with no authentication requirement and demonstrated public exploitation significantly elevates real-world risk. Other parameters in the same function are suspected to be vulnerable to the same injection pattern.
CVE-2025-6306 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the admin authentication mechanism in /admin/admin_index.php. An unauthenticated remote attacker can manipulate the Username parameter to execute arbitrary SQL queries, potentially leading to unauthorized access, data theft, or data manipulation. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.
CVE-2025-6305 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /admin/admin_feature.php endpoint via the product_code parameter. An unauthenticated remote attacker can execute arbitrary SQL commands to read, modify, or delete database contents. The vulnerability has public exploit disclosure and carries a CVSS 7.3 score with confirmed exploitation potential.
CVE-2025-6304 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /cart.php file's qty[] parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept exploits available, presenting immediate exploitation risk to unpatched instances of this e-commerce application.
CVE-2025-6303 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus1.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.
A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in /admin/admin_product.php, affecting other users who view the product data. The vulnerability requires high-privilege admin access and user interaction (clicking/viewing), limiting immediate risk, but publicly available exploit code exists and the issue has been disclosed. With a CVSS score of 2.4 and exploitation probability marked as proof-of-concept (E:P), this is a low-severity issue primarily affecting self-hosted instances of the affected software.
Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated attackers with high privileges to inject malicious scripts via the product_name parameter in /admin/admin_football.php, requiring user interaction to execute. The vulnerability has publicly available exploit code and a CVSS score of 2.4, reflecting the requirement for high-privilege authentication and user interaction, though the low EPSS probability and lack of CISA KEV listing suggest limited real-world exploitation despite POC availability.
Cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the product_name parameter in /admin/admin_running.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, though it carries a low CVSS score of 2.4 due to restricted attack vector (high privileges required, user interaction needed) and limited impact (integrity only).
CVE-2025-6354 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the customer signup functionality (/function/customer_signup.php). An unauthenticated remote attacker can manipulate the email parameter to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability and demonstrates active exploitation potential.
CVE-2025-6344 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus.php file's email parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and exploit code availability increase the real-world threat level significantly.
CVE-2025-6343 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_product.php file where the 'pid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the shoe store's database. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.
CVE-2025-6342 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0, specifically in the /admin/admin_football.php file where the 'pid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.
CVE-2025-6317 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /admin/confirm.php file's ID parameter. An unauthenticated remote attacker can execute arbitrary SQL commands with low complexity, potentially leading to unauthorized data access, modification, or service disruption. Public exploit disclosure and active attack feasibility significantly elevate real-world risk despite the moderate CVSS score of 7.3.
CVE-2025-6316 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_running.php file where the 'qty' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score is 7.3 (high), the attack vector is network-based with low complexity, indicating active exploitation is feasible.
CVE-2025-6315 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /cart2.php endpoint via an unsanitized ID parameter. An unauthenticated remote attacker can exploit this over the network with low complexity to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. A public proof-of-concept has been disclosed and the vulnerability may be actively exploited.
CVE-2025-6307 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /function/edit_customer.php file, where the 'firstname' parameter is insufficiently sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept details available, and while rated 7.3 (High) in CVSS v3.1, the network-accessible attack vector combined with no authentication requirement and demonstrated public exploitation significantly elevates real-world risk. Other parameters in the same function are suspected to be vulnerable to the same injection pattern.
CVE-2025-6306 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the admin authentication mechanism in /admin/admin_index.php. An unauthenticated remote attacker can manipulate the Username parameter to execute arbitrary SQL queries, potentially leading to unauthorized access, data theft, or data manipulation. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.
CVE-2025-6305 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /admin/admin_feature.php endpoint via the product_code parameter. An unauthenticated remote attacker can execute arbitrary SQL commands to read, modify, or delete database contents. The vulnerability has public exploit disclosure and carries a CVSS 7.3 score with confirmed exploitation potential.
CVE-2025-6304 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /cart.php file's qty[] parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept exploits available, presenting immediate exploitation risk to unpatched instances of this e-commerce application.
CVE-2025-6303 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus1.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.
A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in code-projects Online Shoe Store 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.