CVE-2025-55444
Published: 20 August 2025
Summary
CVE-2025-55444 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Vishalmathur Online Artwork And Fine Arts Project. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly and comprehensively prevents SQL injection in the id2 parameter by requiring validation of inputs to ensure they conform to expected formats and reject malicious SQL payloads.
SI-9 mitigates the vulnerability by restricting inputs to the id2 parameter, such as enforcing numeric-only values, blocking arbitrary SQL query injection.
SC-7 enforces boundary protection at web interfaces, enabling web application firewalls to inspect and block SQL injection attempts targeting cancel_booking.php.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in a public-facing web application (T1190) enables database enumeration and data extraction including credentials (T1213.006, T1552.001), potential privilege escalation, and remote code execution (T1068).
NVD Description
A SQL injection vulnerability exists in the id2 parameter of the cancel_booking.php page in Online Artwork and Fine Arts MCA Project 1.0. A remote attacker can inject arbitrary SQL queries, leading to database enumeration and potential remote code execution.
Deeper analysisAI
CVE-2025-55444 is a SQL injection vulnerability in the id2 parameter of the cancel_booking.php page within the Online Artwork and Fine Arts MCA Project 1.0. This flaw, associated with CWE-20 (Improper Input Validation) and CWE-89 (SQL Injection), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.
A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network with low complexity. By injecting arbitrary SQL queries via the id2 parameter, the attacker can achieve database enumeration and potentially remote code execution, allowing unauthorized access to sensitive data or system compromise.
Advisories detailing the issue are available at the following references, which security practitioners should review for mitigation guidance: https://gist.github.com/Anudeepkadambala/88c6065f1de1597be96e50a573cde56e, https://github.com/Anudeepkadambala/CVE-Reports/blob/main/CVE-2025-55444_Disclosure.md, https://github.com/Anudeepkadambala/CVE-Reports/security/advisories/GHSA-r4mf-mr9h-f27m, and https://github.com/mathurvishal/Online-Artwork-and-Fine-Arts-MCA-Major-Project.
Details
- CWE(s)