CVE-2025-7188
Published: 08 July 2025
Summary
CVE-2025-7188 is a low-severity Injection (CWE-74) vulnerability in Fabian Chat System. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-7188 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Chat System 1.0, affecting an unknown functionality in the file /user/addmember.php through manipulation of the ID argument. The issue allows remote exploitation and was published on 2025-07-08T18:15:45.063 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit the vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation enables SQL injection, resulting in low impacts to confidentiality, integrity, and availability.
Advisories and details are available via VulDB at https://vuldb.com/?ctiid.315127, https://vuldb.com/?id.315127, and https://vuldb.com/?submit.607197, as well as the project site https://code-projects.org/. A public exploit disclosure exists at https://github.com/LamentXU123/cve/blob/main/sql_addmember.md and may be used.
The exploit has been disclosed to the public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20647
Vulnerability details
A vulnerability classified as critical was found in code-projects Chat System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/addmember.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in a public-facing web application enables initial access via exploitation of the vulnerable endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the ID argument in /user/addmember.php to block SQL injection payloads before they reach the database.
Enforces that only authorized, policy-compliant database operations are permitted, preventing the unauthorized queries enabled by the unsanitized ID parameter.
Requires timely remediation of the known SQL injection flaw in addmember.php via patching or code fixes to eliminate the exploitable code path.