CVE-2025-1578
Published: 23 February 2025
Summary
CVE-2025-1578 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul Online Shopping Portal. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection in /search-result.php by validating and sanitizing the 'Product' input parameter to prevent improper neutralization of special elements.
Requires timely identification, reporting, and correction of the critical SQL injection flaw in the Campcodes Online Shopping Portal 2.1.
Enables periodic vulnerability scanning to identify and report the SQL injection vulnerability (CVE-2025-1578) in the application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing /search-result.php enables exploitation of public-facing application (T1190) and arbitrary data collection from databases (T1213.006).
NVD Description
A vulnerability, which was classified as critical, was found in PHPGurukul/Campcodes Online Shopping Portal 2.1. This affects an unknown part of the file /search-result.php. The manipulation of the argument Product leads to sql injection. It is possible to initiate the…
more
attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1578 is a SQL injection vulnerability classified as critical in PHPGurukul/Campcodes Online Shopping Portal version 2.1. The issue resides in an unknown part of the file /search-result.php, where manipulation of the "Product" argument enables SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection).
The vulnerability allows remote exploitation with low privileges required (PR:L), low attack complexity (AC:L), and no user interaction (UI:N) over the network (AV:N). Attackers can achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), with an unchanged scope (S:U), resulting in a CVSS v3.1 base score of 6.3.
VulDB advisories document the vulnerability (ctiid.296553, id.296553) and reference a public submission, while a GitHub repository provides a PDF detailing the foreground SQL injection, including a disclosed exploit that may be used. No patches or specific mitigations are detailed in the available information.
Details
- CWE(s)