Cyber Resilience

CVE-2025-15409

MediumPublic PoC

Published: 01 January 2026

Published
01 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15409 is a medium-severity Injection (CWE-74) vulnerability in Anisha Online Guitar Store. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-15409 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Online Guitar Store 1.0. The flaw affects an unknown functionality within the file /admin/Delete_product.php, where manipulation of the del_pro argument triggers the injection.

Attackers can exploit this vulnerability remotely without authentication or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated remote attackers require only low complexity to execute the manipulation, potentially achieving low-level impacts on confidentiality, integrity, and availability through SQL injection.

References include advisories on VulDB (ctiid.339329, id.339329, submit.728393), a GitHub issue at jjjjj-zr/jjjjjzr19/issues/3, and the project site at code-projects.org. The exploit has been publicly disclosed and may be utilized.

The vulnerability's public exploit disclosure heightens the risk for unpatched instances of Online Guitar Store 1.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in code-projects Online Guitar Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/Delete_product.php. Executing a manipulation of the argument del_pro can lead to sql injection. The attack may be performed from…

more

remote. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote SQL injection in a public-facing web app directly enables initial access via exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15410Same product: Anisha Online Guitar Store
CVE-2025-15407Same product: Anisha Online Guitar Store
CVE-2025-15408Same product: Anisha Online Guitar Store
CVE-2025-1162Same vendor: Anisha
CVE-2025-7411Same vendor: Anisha
CVE-2025-0564Same vendor: Anisha
CVE-2025-7409Same vendor: Anisha
CVE-2025-7211Same vendor: Anisha
CVE-2025-7410Same vendor: Anisha
CVE-2025-0563Same vendor: Anisha

Affected Assets

anisha
online guitar store
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the del_pro argument in Delete_product.php to block SQL injection payloads before they reach the database.

prevent

Enforces access control decisions on the /admin/Delete_product.php endpoint so that unauthenticated remote manipulation of del_pro cannot succeed.

respond

Requires timely remediation of the publicly disclosed SQL injection flaw in the Online Guitar Store 1.0 code base.

References