CVE Alert: CVE-2025-10793 – code-projects – E-Commerce Website
CVE-2025-10793
A vulnerability was detected in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/admin_account_delete.php. Performing manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated SQL injection with a publicly available PoC; treat as a priority to patch promptly.
Why this matters
An attacker can read, modify, or delete admin-related data and potentially exfiltrate customer information. With partial impact across confidentiality, integrity and availability, core admin functions could be disrupted, affecting orders, refunds, and user management.
Most likely attack path
Exploitation requires no authentication or user interaction (AV:N, AC:L, PR:N, UI:N) against the vulnerable user_id parameter in admin_account_delete.php (Scope: Unchanged). The vulnerability enables immediate SQL injection, likely leading to data leakage or modification and possible admin account manipulation, without prior foothold or complex preconditions.
Who is most exposed
Public-facing e-commerce deployments with a directly accessible admin endpoint are at greatest risk, especially smaller shops on LAMP-like stacks where input sanitisation is inconsistent or absent.
Detection ideas
- Spike in requests to admin_account_delete.php with unusual user_id values or payloads.
- SQL error messages or database error traces appearing in application logs.
- Unusual DELETE/SELECT queries targeting admin/user tables in DB logs.
- Anomalous failed/poc-style payloads in web server or WAF logs.
- Correlated alerts from RASP/WAF for SQLi patterns on that endpoint.
Mitigation and prioritisation
- Apply a hotfix or upgrade to use parameterised queries and robust input validation on user_id.
- Enforce least-privilege DB account for the web app; restrict admin-facing operations to authenticated admins only.
- Deploy WAF/IPS rules to block common SQLi patterns on admin endpoints; monitor for PoC indicators.
- Review and harden audit logging, implement alerting for admin-related operations, and perform targeted SQLi regression testing.
- Schedule patching in a controlled window and validate with a focused security test; if KEV or EPSS indicators appear later, escalate to Priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
