CVE-2025-10802 – CVE-2025-10802 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-10802?

CVE-2025-10802 has a CVSS score of 7.3 (HIGH). CVE-2025-10802 is an SQL injection vulnerability in code-projects Online Bidding System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /administrator/remove.php. This affects all deployments of version 1.0. Attackers can potentially read, modify, or delete database contents.

📋 TL;DR

CVE-2025-10802 is an SQL injection vulnerability in code-projects Online Bidding System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /administrator/remove.php. This affects all deployments of version 1.0. Attackers can potentially read, modify, or delete database contents.

💻 Affected Systems

Products:

code-projects Online Bidding System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The vulnerability exists in the default codebase.

📦 What is this software?

Online Bidding System by Fabian

View all CVEs affecting Online Bidding System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, or remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, modification of bidding data, user account compromise, and potential privilege escalation.

🟢

If Mitigated

Limited impact if proper input validation, parameterized queries, and database permissions are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web applications typically exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to compromise the bidding system and potentially pivot to other systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires administrator access to reach the vulnerable endpoint, but SQL injection can potentially bypass authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries in remove.php, specifically sanitizing the ID parameter before database operations.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to ensure ID parameter contains only numeric values

Modify /administrator/remove.php to validate $_GET['ID'] or $_POST['ID'] is numeric before processing

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the remove.php endpoint

Configure WAF to block requests containing SQL keywords (SELECT, UNION, etc.) in ID parameter

🧯 If You Can't Patch

Restrict access to /administrator/ directory using IP whitelisting or network segmentation
Implement database user with minimal privileges (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test by sending SQL injection payloads to /administrator/remove.php?ID=1' OR '1'='1

Check Version:

Check project documentation or source code comments for version information

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /administrator/remove.php with unusual ID parameters
Database error logs showing SQL syntax errors

Network Indicators:

HTTP requests containing SQL keywords in URL parameters
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND uri_path="/administrator/remove.php" AND (query_string="*SELECT*" OR query_string="*UNION*" OR query_string="*OR*'1'='1*")

📊 Metadata

CVE ID: CVE-2025-10802

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: September 22, 2025

Last Updated: September 24, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/peri0d/my_cve/blob/main/ONLINE-BIDDING-SYSTEM-Project-V1.0-remove.php-SQL-injection.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.325160 Permissions Required,VDB Entry
https://vuldb.com/?id.325160 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.654164 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10802, you might also want to check these: