CVE-2025-1855
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1855 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Online Shopping Portal 2.1. The issue affects an unknown functionality in the file /product-details.php, where manipulation of the arguments quality, price, value, name, summary, or review enables SQL injection.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely. Attackers with low privileges, such as authenticated users, can leverage it to achieve low impacts on confidentiality, integrity, and availability via SQL injection.
Advisories and references, including a GitHub code audit PDF at https://github.com/panghuanjie/Code-audits/blob/main/PHPGurukul/PHPGurukul%20Online%20Shopping%20Portal%20v2.1%20SQL%20Injection3%20.pdf, the vendor site at https://phpgurukul.com/, and VULDB entries at https://vuldb.com/?ctiid.298123, https://vuldb.com/?id.298123, and https://vuldb.com/?submit.506066, detail the issue. The exploit has been disclosed publicly and may be used, with no specific patches mentioned in the available information.
The public disclosure of the exploit increases the risk of real-world exploitation against unpatched instances of PHPGurukul Online Shopping Portal 2.1.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing /product-details.php enables exploitation of public-facing web applications (T1190), abuse of server software components via arbitrary SQL execution (T1505), and data collection from backend databases (T1213.006).