Cyber Resilience

CVE-2025-7755

LowPublic PoCUpdated

Published: 17 July 2025

Published
17 July 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.5th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2025-7755 is a low-severity Improper Access Control (CWE-284) vulnerability in Online Ordering System Project Online Ordering System. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-7755 is a vulnerability in code-projects Online Ordering System 1.0 that enables unrestricted file upload. It affects the processing of the file /admin/edit_product.php, where manipulation of the "image" argument allows attackers to upload arbitrary files. Rated as critical with a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it is associated with CWEs 284 (Improper Access Control) and 434 (Unrestricted Upload of File with Dangerous Type). The vulnerability was published on 2025-07-17.

A remote attacker with low privileges can exploit this issue over the network with low complexity and no user interaction required. Successful exploitation leads to limited impacts on confidentiality, integrity, and availability, potentially allowing upload of malicious files that could enable further compromise depending on server configuration.

Advisories and details are available in references such as VulDB entries (ctiid.316745, id.316745, submit.615552), a GitHub issue at github.com/AlbaDove/cve/issues/4, and code-projects.org. The exploit has been disclosed publicly and may be used, so practitioners should review these sources for mitigation guidance and any available patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in code-projects Online Ordering System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/edit_product.php. The manipulation of the argument image leads to unrestricted upload. The attack may be…

more

initiated remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web app directly enables remote exploitation (T1190) and web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2550Shared CWE-284, CWE-434
CVE-2026-2133Shared CWE-284, CWE-434
CVE-2025-8344Shared CWE-284, CWE-434
CVE-2025-15423Shared CWE-284, CWE-434
CVE-2026-3797Shared CWE-284, CWE-434
CVE-2026-0643Shared CWE-284, CWE-434
CVE-2026-0566Shared CWE-284, CWE-434
CVE-2026-0547Shared CWE-284, CWE-434
CVE-2024-13134Shared CWE-284, CWE-434
CVE-2025-50002Shared CWE-434

Affected Assets

online ordering system project
online ordering system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs including uploaded files to reject dangerous types before they are stored.

prevent

Enforces access-control decisions so that only explicitly permitted operations (e.g., safe image handling) are allowed on edit_product.php.

preventdetect

Malicious-code protection mechanisms can scan or sandbox uploaded files to block or alert on dangerous content.

References