CVE-2025-12215
📋 TL;DR
This SQL injection vulnerability in Projectworlds Online Shopping System 1.0 allows attackers to execute arbitrary SQL commands via the 'keywords' parameter in /login_submit.php. Attackers can potentially access, modify, or delete database contents including user credentials and payment information. Any organization using this specific version of the shopping system is affected.
💻 Affected Systems
- Projectworlds Online Shopping System
📦 What is this software?
Online Shopping System by Projectworlds
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to theft of all customer data (PII, payment info), administrative account takeover, website defacement, and potential lateral movement to other systems.
Likely Case
Data exfiltration of user credentials and customer information, potential privilege escalation to administrative access, and database manipulation.
If Mitigated
Limited information disclosure if proper input validation and WAF rules are in place, but system remains vulnerable to skilled attackers.
🎯 Exploit Status
Exploit details are publicly available on GitHub, making this easily weaponizable by attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider migrating to a maintained shopping platform or implementing custom fixes with parameterized queries.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to sanitize all user inputs, particularly the 'keywords' parameter
Edit /login_submit.php to implement mysqli_real_escape_string() or PDO prepared statements
Web Application Firewall Rules
linuxImplement WAF rules to block SQL injection patterns in the keywords parameter
Add ModSecurity rule: SecRule ARGS:keywords "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Isolate the system behind a reverse proxy with strict input filtering
- Implement network segmentation to limit database access from the web server
🔍 How to Verify
Check if Vulnerable:
Test the /login_submit.php endpoint with SQL injection payloads in the keywords parameter (e.g., ' OR '1'='1)Check Version:
Check the software version in admin panel or readme filesVerify Fix Applied:
Attempt SQL injection tests and verify they return proper error messages or no database manipulation occurs📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple failed login attempts with SQL-like patterns in keywords parameter
- Database queries with unusual syntax from web server IP
Network Indicators:
- HTTP POST requests to /login_submit.php containing SQL keywords (UNION, SELECT, etc.) in parameters
- Unusual database traffic patterns from web server
SIEM Query:
source="web_logs" AND uri="/login_submit.php" AND (keywords="*UNION*" OR keywords="*SELECT*" OR keywords="*OR*1*" OR keywords="*--*" OR keywords="*;*" OR keywords="*'*'*'")