CVE Alert: CVE-2025-10841 - code-projects - Online Bidding System

CVE-2025-10841

HIGHNo exploitation known

A security vulnerability has been detected in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/weweee.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

Online Bidding System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-23T05:32:37.237Z

Updated

2025-09-23T05:32:37.237Z

References

https://vuldb.com/?id.325203

https://vuldb.com/?ctiid.325203

https://vuldb.com/?submit.657195

https://github.com/fengzipan/cve/blob/master/tmp30/tmp30/report.md

https://code-projects.org/

AI Summary Analysis

Risk verdict

High risk due to a remote SQL injection vulnerability in a web-facing admin script, with a publicly disclosed exploit; exploitation potential is present and urgent remediation is advised. KEV/EPSS flags are not provided here, so treat as urgent based on CVSS reach and public PoC.

Why this matters

An attacker could exfiltrate or modify database contents, potentially exposing customer data or disrupting bidding operations. The lack of authentication and the ability to reach the vulnerable endpoint from the internet raise the likelihood of automated abuse and data loss, even if the impact on availability is modest.

Most likely attack path

An attacker sends crafted requests to /administrator/weweee.php with a manipulated ID parameter to trigger SQL injection. The CVSS indicates network access, no user interaction, and no privileges required, enabling direct data access or modification with low preconditions and potential data leakage or integrity compromise.

Who is most exposed

Public-facing deployments of code-projects Online Bidding System, especially sites on shared hosting or unauthenticated admin panels, are at highest risk; organisations relying on this vendor/product are typical exposure patterns.

Detection ideas

Look for unusual ID parameter values, SQL error messages, or UNION/SELECT payloads in web logs.
Time-based or error-based delays observed in /administrator/weweee.php responses.
WAF/IDS alerts for SQL injection patterns targeting the admin endpoint.
Abnormal spikes in DB query errors or data volume from the application host.

Mitigation and prioritisation

Apply vendor patch or upgrade to address the SQL injection; convert to parameterised queries.
Restrict DB account privileges and use prepared statements; disable verbose DB errors.
Implement input validation and canonicalisation for ID parameters; consider UI-level checks.
Enable WAF rules targeting SQLi and monitor logs for anomalies; isolate the admin page if feasible.
Plan patching in a controlled window with backups and post-implementation validation.
If KEV true or EPSS ≥ 0.5, treat as priority 1; data not provided here, so proceed with high urgency based on exposure.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-10841, online-bidding-system, OSINT, threatintel