CVE-2024-44660 – PHPGurukul Online Shopping Portal 2.0 contains ... (How to Fix)

Q: What is the severity of CVE-2024-44660?

CVE-2024-44660 has a CVSS score of 6.5 (MEDIUM). PHPGurukul Online Shopping Portal 2.0 contains SQL injection vulnerabilities in the login.php page through the fullname, emailid, and contactno parameters. This allows attackers to execute arbitrary SQL commands on the database. All users running this specific version of the shopping portal are affected.

📋 TL;DR

PHPGurukul Online Shopping Portal 2.0 contains SQL injection vulnerabilities in the login.php page through the fullname, emailid, and contactno parameters. This allows attackers to execute arbitrary SQL commands on the database. All users running this specific version of the shopping portal are affected.

💻 Affected Systems

Products:

PHPGurukul Online Shopping Portal

Versions: 2.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation. Requires PHP environment with database backend.

📦 What is this software?

Online Shopping Portal by Phpgurukul

View all CVEs affecting Online Shopping Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized access to sensitive customer data (personal information, payment details), administrative credentials theft, and potential website defacement.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via login page parameters is well-understood and easily automated. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries and input validation as workaround.

🔧 Temporary Workarounds

Implement Parameterized Queries

all

Replace direct SQL concatenation with prepared statements using PDO or mysqli

Input Validation and Sanitization

all

Add strict input validation for fullname, emailid, and contactno parameters

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads in fullname, emailid, or contactno parameters and observe database errors or unexpected behavior.

Check Version:

Check version in application files or admin panel if available

Verify Fix Applied:

Test with same SQL injection payloads after implementing fixes - should receive proper error handling without database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts with SQL-like patterns in parameters

Network Indicators:

HTTP POST requests to login.php containing SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="*/login.php" AND (param="fullname" OR param="emailid" OR param="contactno") AND (value="' OR" OR value="' UNION" OR value="' SELECT" OR value="' --")

📊 Metadata

CVE ID: CVE-2024-44660

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: November 17, 2025

Last Updated: November 18, 2025

🔗 References

https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44660.md Exploit,Third Party Advisory
https://phpgurukul.com/shopping-portal-free-download/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44660, you might also want to check these: