CVE-2025-6484 in Online Shopping Store
Summary
by MITRE • 06/23/2025
A vulnerability was found in code-projects Online Shopping Store 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /action.php. The manipulation of the argument cat_id/brand_id/keyword/proId/pid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2025
This critical vulnerability exists within the code-projects Online Shopping Store version 1.0, specifically targeting the /action.php file which serves as a central processing endpoint for various user interactions. The flaw represents a classic sql injection vulnerability that occurs when user-supplied parameters are directly incorporated into database queries without proper sanitization or parameterization. The affected parameters include cat_id, brand_id, keyword, proId, and pid which are all passed through user input mechanisms and subsequently processed by the application's backend database operations. This vulnerability classification aligns with CWE-89 which defines sql injection as the insertion of malicious sql statements into input fields for execution by the database.
The technical implementation of this vulnerability allows remote attackers to manipulate database queries through carefully crafted inputs to the specified parameter fields. When an attacker submits malicious input through any of these parameters, the application fails to properly validate or sanitize the data before incorporating it into sql commands. This creates an opportunity for attackers to execute arbitrary sql commands against the underlying database, potentially leading to unauthorized data access, modification, or deletion. The remote exploitation capability means that attackers do not require physical access to the system or local network privileges to leverage this vulnerability, making it particularly dangerous in web-facing applications.
The operational impact of this vulnerability extends beyond simple data theft or corruption, as it can enable attackers to escalate privileges, extract sensitive customer information, manipulate inventory data, or even gain access to administrative functions within the shopping platform. The disclosed exploit availability significantly increases the risk profile since malicious actors can immediately leverage this vulnerability without requiring additional reconnaissance or development time. This vulnerability directly violates the principle of least privilege and demonstrates inadequate input validation practices that are fundamental to secure application development. The attack vector through the /action.php endpoint suggests that this is likely a core functionality component that handles user requests for product listings, category browsing, and brand filtering operations.
Organizations should immediately implement mitigations including input validation, parameterized queries, and web application firewalls to prevent exploitation of this vulnerability. The recommended approach involves sanitizing all user inputs through proper validation routines and implementing prepared statements or parameterized queries to ensure that user data cannot be interpreted as sql commands. Additionally, access controls should be reviewed to limit database permissions for application accounts and regular security audits should be conducted to identify similar vulnerabilities. This vulnerability demonstrates the critical importance of following secure coding practices and adheres to ATT&CK technique T1190 which describes exploitation of remote services through injection flaws, making it a prime target for automated attack tools that scan for common sql injection patterns.