CVE Alert: CVE-2025-11037 – code-projects – E-Commerce Website

September 27, 2025

CVE-2025-11037

HIGHNo exploitation knownPoC observed

A security flaw has been discovered in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/admin_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.

CVSS v3.1 (7.3)
Vendor
code-projects
Product
E-Commerce Website
Versions
1.0
CWE
CWE-89, SQL Injection
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Published
2025-09-26T19:02:09.030Z
Updated
2025-09-26T19:31:06.295Z

AI Summary Analysis

**Risk verdict**: High risk due to remote SQL injection with a publicly released exploit (PoC available); urgent remediation advised.

**Why this matters**: An attacker can read or modify customer data via the SQL injection, potentially affecting orders, payments and site integrity. Public exposure invites automated exploitation.

**Most likely attack path**: No authentication or user interaction is required; crafted input to admin_index_search.php corrupts the query, enabling data disclosure or modification. With network access and low complexity, automated tools could exploit at scale.

**Who is most exposed**: Internet-exposed admin search on e-commerce platforms, especially self-hosted or cloud stores running code-projects E‑Commerce Website 1.0 with minimal access controls.

**Detection ideas**:

  • Monitor for unusual search inputs and database errors.
  • Look for SQLi payload patterns, time delays, or data dumps.
  • Check logs for admin_index_search.php access spikes.
  • Enable SQLi-focused IDS/IPS rules.

**Mitigation and prioritisation**:

  • Apply vendor patch or upgrade; use parameterised queries and input validation.
  • Harden admin endpoints with authentication, IP allowlisting and MFA where possible.
  • Deploy WAF/IPS protections and monitor for SQLi indicators.
  • Treat as high priority and test in staging before production.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , , , , ,

You may have missed

image

CVE Alert: CVE-2025-11046 – Tencent – WeKnora

September 27, 2025
image

CVE Alert: CVE-2025-11045 – WAYOS – LQ_04

September 27, 2025
image

CVE Alert: CVE-2025-11040 – code-projects – Hostel Management System

September 27, 2025
image

CVE Alert: CVE-2025-11039 – Campcodes – Computer Sales and Inventory System

September 27, 2025
image

CVE Alert: CVE-2025-11036 – code-projects – E-Commerce Website

September 27, 2025