A critical SQL Injection vulnerability, identified as CVE-2025-50972, has been discovered in AbanteCart e-commerce platform. This flaw allows an unauthenticated attacker to remotely execute arbitrary commands on the backend database, potentially leading to a complete compromise of sensitive customer data, financial information, and administrative control over the affected online store.

The vulnerability is a classic SQL Injection that exists due to insufficient input sanitization of the tmpl_id parameter in the index.php file. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request to the web server. By injecting malicious SQL syntax into the tmpl_id parameter, the attacker can manipulate the database queries executed by the application, allowing for data exfiltration, modification, or deletion, and in some database configurations, achieve remote code execution on the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a devastating impact on the business, leading to a severe data breach of customer personally identifiable information (PII), credentials, and payment card data. Such an incident would result in significant reputational damage, loss of customer trust, and potential regulatory fines under frameworks like GDPR or CCPA. Furthermore, an attacker could deface the website, disrupt business operations by altering product or order information, or use the compromised server as a pivot point to attack other systems within the corporate network.

Immediate Action: Update all instances of AbanteCart to the latest patched version provided by the vendor immediately. After patching, it is crucial to monitor for any ongoing exploitation attempts and thoroughly review historical web server and application access logs for any indicators of compromise preceding the update.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. Review web server access logs for requests to index.php containing SQL keywords (e.g., UNION, SELECT, SLEEP, '--) within the tmpl_id parameter. Monitor for unusual outbound network traffic from the database server, which could indicate data exfiltration, and watch for unexpected spikes in database CPU utilization.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block SQL injection attacks targeting the tmpl_id parameter. Additionally, ensure the database user account leveraged by AbanteCart operates under the principle of least privilege, restricting its ability to perform system-level commands or access sensitive database tables outside of its operational scope.

Public Exploit Available: true

Given the critical 9.8 CVSS score and the public availability of exploit code, this vulnerability poses an immediate and severe threat to the organization. We recommend that all vulnerable AbanteCart instances be patched immediately as the highest priority. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. Organizations should treat this vulnerability with the same urgency as a known exploited vulnerability and initiate incident response procedures to hunt for evidence of compromise that may have occurred prior to applying the patch.