CVE-2025-2387
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2387 is a critical SQL injection vulnerability in SourceCodester Online Food Ordering System 2.0, affecting an unknown function within the file /admin/ajax.php?action=add_to_cart. The issue arises from manipulation of the 'pid' argument, allowing attackers to inject malicious SQL payloads. It is assigned CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the application's database.
Advisories from VULDB (ctiid.299886, id.299886, submit.516681) and a GitHub issue (aionman/cve/issues/9) detail the vulnerability and confirm the public disclosure of an exploit. The vendor site at sourcecodester.com hosts the affected software, where practitioners should check for updates or patches. No specific mitigation steps are outlined in the primary description, emphasizing the need to review referenced sources promptly.
The exploit has been publicly disclosed and may be actively used, urging immediate scanning and patching of exposed instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/admin/ajax.php) enables initial access via exploitation (T1190) and unauthorized database queries for data collection (T1213.006).