CVE-2025-61246
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-08

Last updated on: 2026-01-16

Assigner: MITRE

Description
indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-16
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61246
EUVD
EUVD-2026-1431
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
indieka900 online_shopping_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61246 is a critical SQL Injection vulnerability in version 1.0 of the indieka900 online-shopping-system-php application. It occurs in the review_action.php file via the proId parameter, which is directly embedded into SQL queries without proper sanitization or parameterization. This allows attackers to inject malicious SQL code remotely, enabling them to extract sensitive data, bypass authentication, modify or delete records, and potentially execute administrative operations or remote code execution. [1]

Impact Analysis

Successful exploitation of this vulnerability can lead to severe impacts including data breaches involving user information, credentials, and payment data. Attackers can bypass authentication mechanisms, manipulate or delete database records, and potentially gain full system compromise including remote code execution under certain configurations. [1]

Detection Guidance

This vulnerability can be detected by performing time-based blind SQL injection tests on the proId parameter in the master/review_action.php endpoint. An example payload to test is: proId=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -. You can use the provided automated Python exploitation script (exploit.py) from the PoC repository to detect and exploit the vulnerability. Manual testing instructions are also available in the MANUAL_TESTING.md file. Commands would involve sending crafted POST requests with the payload to the vulnerable endpoint and measuring response delays to confirm the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation on all user inputs, replacing dynamic SQL queries with parameterized prepared statements (e.g., using prepared statements with bound parameters for the proId parameter), deploying Web Application Firewall (WAF) rules to block SQL injection attempts, and applying the latest security patches to the application. [1]

Compliance Impact

The vulnerability allows attackers to extract sensitive data such as user information, credentials, and payment data, which can lead to data breaches. Such breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information. Therefore, exploitation of this SQL Injection vulnerability can negatively impact compliance with these standards by exposing protected data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart