CVE Alert: CVE-2025-11420 - code-projects - E-Commerce Website

CVE-2025-11420

HIGHNo exploitation known

A vulnerability was detected in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/edit_order_details.php. The manipulation of the argument order_id results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

E-Commerce Website

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-08T00:32:05.465Z

Updated

2025-10-08T00:32:05.465Z

References

https://vuldb.com/?id.327355

https://vuldb.com/?ctiid.327355

https://vuldb.com/?submit.665770

https://github.com/ashin9/CVE/issues/3

https://code-projects.org/

AI Summary Analysis

Risk verdict: High risk due to remote, unauthenticated SQL injection with publicly available exploit, enabling potential data access and manipulation.

Why this matters: The flaw can expose customer data and order details, risking financial loss, fraud, and reputational damage. Compromise of the e‑commerce backend may enable data alteration, downtime, and supply-chain disruption, especially for transactional sites handling payments and PII.

Most likely attack path: An automated attacker can exploit the web interface without user interaction to run arbitrary SQL against the database. The flaw’s CVSS indicators point to low preconditions and no UI requirement, implying quick weaponisation and potential broad impact on data integrity, confidentiality, and availability within the compromised scope.

Who is most exposed: Public-facing e‑commerce deployments, particularly small to mid-size sites on shared or low‑segregation hosting with PHP–MySQL stacks, are at greatest risk. Exposed admin/order endpoints often attract automated probes and low-friction exploitation.

Detection ideas:

Unusual or suspicious HTTP inputs resembling SQL payloads in order-related requests.
Database errors or hints of SQL syntax in responses or logs.
Spikes in 500s or failed queries linked to the affected endpoint.
WAF IPS alerts for SQL injection signatures.
Out-of-band data exfiltration indicators or unexpected query patterns.

Mitigation and prioritisation:

Apply vendor fix or upgrade to patched version; validate in staging before prod.
Enforce parameterised queries and prepared statements; away from dynamic string concatenation.
Minimise error disclosure; suppress verbose DB errors in production.
Enforce least privilege for DB credentials; restrict user permissions and network access.
Enable and tune WAF/IPS rules for SQL injection; monitor for related IOC activity.
Change-management: deploy patch promptly with verification and rollback plan.
If KEV true or EPSS ≥ 0.5, treat as priority 1. If data indicates otherwise, maintain high-priority remediation with a tight patch window.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-11420, e-commerce-website, OSINT, threatintel