CVE Alert: CVE-2025-10842 - code-projects - Online Bidding System

CVE-2025-10842

HIGHNo exploitation known

A vulnerability was detected in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/wew.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

Online Bidding System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-23T06:02:05.580Z

Updated

2025-09-23T06:02:05.580Z

References

https://vuldb.com/?id.325204

https://vuldb.com/?ctiid.325204

https://vuldb.com/?submit.657196

https://github.com/fengzipan/cve/blob/main/tmp29/tmp29/report.md

https://code-projects.org/

AI Summary Analysis

Risk verdict

Remote SQL injection on the public wew.php endpoint with an openly published PoC, enabling unauthenticated access.

Why this matters

Compromised data integrity and confidentiality in the bidding database are plausible, with potential for data exfiltration or manipulation. The public exploit increases automated attacker interest and the likelihood of rapid exploitation, possibly affecting transaction integrity and availability of the bidding service.

Most likely attack path

Unauthenticated remote attacker targets /administrator/wew.php with a manipulated ID parameter to trigger SQL injection. No user interaction required; exploit can proceed over standard web requests. Impacts are constrained to the database (C/L I/L A/L), but targeted data access or modification is feasible, especially if the app uses loosely-scoped DB credentials or verbose error messaging.

Who is most exposed

Publicly accessible PHP-based online auction system deployments, commonly hosted on shared hosting or cloud instances with external access to the admin area.

Detection ideas

Anomalous or frequent SQL error messages tied to the ID parameter in wew.php access logs.
Unusual query patterns or long, concatenated SQL strings in application or DB logs.
Repeated access attempts to /administrator/wew.php with varied ID values from diverse IPs.
WAF/IDS alerts for SQLi-like payloads targeting PHP endpoints.
Sudden spikes in DB query latency or failed authentication events on the web app tier.

Mitigation and prioritisation

Apply vendor patch or upgrade to fixed version; convert to parameterised queries/prepared statements.
Implement input validation and strict type checks for ID; remove direct string concatenation in SQL.
Enforce least privilege on the web app DB account; separate admin/database credentials; rotate secrets.
Deploy WAF/IPS rules to block SQLi patterns; restrict admin endpoints to trusted networks.
Change-management: test in staging, then deploy; monitor logs for signs of exploitation. If KEV or EPSS were confirmed as high, escalate to priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-10842, online-bidding-system, OSINT, threatintel