CVE-2025-1173
Published: 11 February 2025
Summary
CVE-2025-1173 is a medium-severity Injection (CWE-74) vulnerability in 1000Projects Bookstore Management System. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1173 is a critical SQL injection vulnerability in the 1000 Projects Bookstore Management System version 1.0. The issue resides in an unspecified component of the file process_users_del.php, where manipulation of the "id" argument enables SQL injection. Associated with CWE-74 (improper neutralization of special elements) and CWE-89 (SQL injection), it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating medium severity despite the critical classification.
Exploitation requires network access with low complexity and high privileges (PR:H), such as an authenticated administrative user, and no user interaction. A remote attacker could inject malicious SQL via the "id" parameter during user deletion processes, potentially resulting in limited impacts: low confidentiality (e.g., partial data exposure), low integrity (e.g., minor unauthorized modifications), and low availability (e.g., minor denial of service).
Advisories are documented on VulDB (ctiid.295077, id.295077, submit.495309), a GitHub issue at NeoVuln/CVE #2, and the project site at 1000projects.org. No specific patch or mitigation details are outlined in the provided references; practitioners should review these sources for updates, such as input sanitization or parameterized queries in process_users_del.php.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2047
Vulnerability details
A vulnerability, which was classified as critical, was found in 1000 Projects Bookstore Management System 1.0. This affects an unknown part of the file process_users_del.php. The manipulation of the argument id leads to sql injection. It is possible to initiate…
more
the attack remotely.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in process_users_del.php enables arbitrary SQL query execution, facilitating data collection from databases (T1213.006) and abuse of server software components (T1505 as cited in advisories).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of the 'id' parameter in process_users_del.php.
Addresses the specific SQL injection flaw through identification, reporting, and correction in the Bookstore Management System.
Vulnerability scanning detects the SQL injection vulnerability in process_users_del.php for subsequent remediation.