CVE Alert: CVE-2025-10802 – code-projects – Online Bidding System
CVE-2025-10802
A flaw has been found in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/remove.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
AI Summary Analysis
Risk verdict
Urgent remediation required: remote SQL injection via remove.php is demonstrably exploitable (PoC available) and automatable, with potential for remote access without authentication.
Why this matters
Attackers can directly reach the database over the network, potentially exfiltrating or altering data and impacting bid integrity. The lack of user interaction and credentials means it can be weaponised quickly at scale, risking customer data and transactional trust.
Most likely attack path
The vulnerability permits network-proximate attackers to send crafted ID values to /administrator/remove.php, triggering SQL injection without authentication (PR:N, UI:N). Consequences include data disclosure or modification with low to moderate database impact per CVSS metrics, and no user interaction required, enabling rapid automated attempts and potential lateral movement within the app’s data layer.
Who is most exposed
Internet-facing deployments of the Online Bidding System, especially those exposing the administrator endpoints or poorly protected /administrator/remove.php, are at greatest risk. Organisations hosting self-managed instances or small SaaS offerings are typical exposures.
Detection ideas
- Unusual or malformed input patterns targeting the ID parameter in remove.php (e.g., classic tautologies, UNION SELECT payloads).
- Database error messages or unusual latency linked to /administrator/remove.php requests.
- WAF/IDS alerts for SQLi signatures on the affected endpoint.
- High-volume, automated probe activity from diverse IPs targeting the admin path.
- Anomalous read/write activity in the database around bidding data.
Mitigation and prioritisation
- Apply patches to modernised codebase; replace dynamic queries with parameterised statements.
- Restrict access to /administrator/remove.php (IP allowlists, authentication, MFA for admins).
- Implement input validation and prepared statements; remove direct ID manipulation endpoints where unnecessary.
- Deploy web application firewall rules to block common SQLi patterns; enhance logging and alerting for admin paths.
- Change-management: schedule patch as a priority and test in a staging environment before production. If KEV/EPSS indicators emerge, elevate to priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
