CVE-2025-61246

indieka900 · online-shopping-system-php

The indieka900 online-shopping-system-php 1.0 is susceptible to a SQL injection vulnerability via the proId parameter.

Executive summary

A critical SQL injection vulnerability in the online-shopping-system-php platform could allow remote attackers to manipulate backend database queries and compromise application data.

Vulnerability

The application is vulnerable to SQL injection via the proId parameter located in the master/review_action.php script. This flaw permits unauthenticated remote attackers to inject arbitrary SQL commands.

Business impact

The CVSS score of 9.8 reflects the high severity of this vulnerability, which allows for unauthorized data access and potential database destruction. Successful exploitation can lead to a complete compromise of the shopping system's integrity and the exposure of sensitive customer or transaction data.

Remediation

Immediate Action: Update to the latest version of the software if available. If no patch exists, remove or disable the vulnerable review_action.php file until a secure version is released.

Proactive Monitoring: Monitor server logs for unusual SQL syntax or unexpected database query spikes, specifically originating from the master/review_action.php file.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block requests containing malicious SQL injection strings targeting the proId parameter.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Due to the lack of specified patch details, users should exercise extreme caution and implement strict WAF filtering. If the software is no longer maintained, consider migrating to a more secure and supported e-commerce solution to eliminate this persistent risk.