CVE-2025-1172 – This critical SQL injection vulnerability in 10... (How to Fix)

Q: What is the severity of CVE-2025-1172?

CVE-2025-1172 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in 1000 Projects Bookstore Management System 1.0 allows attackers to manipulate database queries through the 'bcid' parameter in addtocart.php. Attackers can potentially steal sensitive data, modify database contents, or execute arbitrary commands. Any organization using this bookstore management system is affected.

📋 TL;DR

This critical SQL injection vulnerability in 1000 Projects Bookstore Management System 1.0 allows attackers to manipulate database queries through the 'bcid' parameter in addtocart.php. Attackers can potentially steal sensitive data, modify database contents, or execute arbitrary commands. Any organization using this bookstore management system is affected.

💻 Affected Systems

Products:

1000 Projects Bookstore Management System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the addtocart.php file specifically through the bcid parameter

📦 What is this software?

Bookstore Management System by 1000projects

View all CVEs affecting Bookstore Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or remote code execution on the database server

🟠

Likely Case

Unauthorized access to sensitive customer data, order information, and potential privilege escalation

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web-facing functionality

🏢 Internal Only: MEDIUM - Internal systems could still be targeted through internal network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed, making exploitation straightforward for attackers

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://1000projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in addtocart.php

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and sanitization for the bcid parameter in addtocart.php

Modify addtocart.php to validate bcid as integer: if(!is_numeric($_GET['bcid'])) { die('Invalid input'); }

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection attempts

Add WAF rule: SecRule ARGS:bcid "@rx (?:'|\"|;|--|union|select|insert|update|delete|drop|create|alter)" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test the addtocart.php endpoint with SQL injection payloads in the bcid parameter

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web server, SQL syntax errors in application logs, multiple failed addtocart attempts

Network Indicators:

HTTP requests to addtocart.php with SQL keywords in parameters, unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="*addtocart.php*" AND (param="*union*" OR param="*select*" OR param="*insert*" OR param="*' OR '1'='1*")

📊 Metadata

CVE ID: CVE-2025-1172

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.12% exploit probability (30.3th percentile)

Published: February 11, 2025

Last Updated: February 28, 2025

🔗 References

https://1000projects.org/ Product
https://github.com/NeoVuln/CVE/issues/1 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.295076 Permissions Required,VDB Entry
https://vuldb.com/?id.295076 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.495183 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1172, you might also want to check these: