CVE Alert: CVE-2025-9660 – SourceCodester – Bakeshop Online Ordering System
CVE-2025-9660
A vulnerability was found in SourceCodester Bakeshop Online Ordering System 1.0. The impacted element is an unknown function of the file /passwordrecover.php. Performing manipulation of the argument phonenumber results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
AI Summary Analysis
Risk verdict
High risk. Publicly disclosed, PoC-available SQL injection on the remote passwordrecover.php endpoint makes automated exploitation feasible without authentication.
Why this matters
The vulnerability can expose or alter customer data and orders, with potential credential compromise and broader data integrity risks. In practice, attackers could exfiltrate data or disrupt ordering operations, harming trust, compliance posture, and revenue.
Most likely attack path
Remote attacker sends crafted input to passwordrecover.php (phonenumber parameter) to trigger SQL injection. No user interaction or privileges required; impact can escalate to data leakage or modification within the database (C, I, A affected). With Scope Unchanged, exploited access remains within the same system layer, lowering barriers to automated exploitation but limiting lateral reach unless additional vulnerabilities exist.
Who is most exposed
Public-facing web deployments of SourceCodester Bakeshop Online Ordering System on common LAMP stacks, often hosted by small businesses or shared hosting. Internet-exposed endpoints increase risk, especially where input handling is not parameterised.
Detection ideas
- Anomalous requests to passwordrecover.php with unusual phonenumber values (quotes, unions, or sleep-based payloads).
- Database error messages or stack traces in responses or logs.
- Sudden spikes in failed or unusual authentication-related queries.
- WAF logs showing SQL injection patterns targeting passwordrecover.php.
- PoC indicators or signatures from threat intel feeds and public exploits.
Mitigation and prioritisation
- Apply available patch or upgrade to fixed version; if unavailable, implement compensating controls.
- Enforce parameterised queries and input validation on passwordrecover.php; disable or harden the endpoint if feasible.
- Deploy WAF rules tailored to SQL injection for that path; monitor and alert on suspicious payloads.
- Restrict access to the endpoint behind authentication or network allowlists where possible.
- Change-management: test fixes in staging, then rollout with monitoring. If KEV true or EPSS ≥ 0.5 (data not provided here), treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
