CVE-2025-13560 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-13560?

CVE-2025-13560 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in SourceCodester Company Website CMS 1.0 allows attackers to manipulate database queries through the email parameter in the admin password reset function. Attackers can potentially extract, modify, or delete database contents. All installations of this specific CMS version are affected.

📋 TL;DR

This SQL injection vulnerability in SourceCodester Company Website CMS 1.0 allows attackers to manipulate database queries through the email parameter in the admin password reset function. Attackers can potentially extract, modify, or delete database contents. All installations of this specific CMS version are affected.

💻 Affected Systems

Products:

SourceCodester Company Website CMS

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. No special configuration is required for exploitation.

📦 What is this software?

Company Website Cms by Torrahclef

View all CVEs affecting Company Website Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including admin credential theft, data exfiltration, and potential remote code execution via database functions.

🟠

Likely Case

Extraction of sensitive user data, admin credential harvesting, and potential website defacement or data manipulation.

🟢

If Mitigated

Limited impact if database permissions are restricted and web application firewall blocks SQL injection patterns.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely without authentication, making it easily exploitable from the internet.

🏢 Internal Only: MEDIUM - While still vulnerable, internal-only deployments have reduced attack surface from external threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit is publicly available and requires no authentication. Basic SQL injection techniques can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add proper input validation and parameterized queries to the /admin/reset-password.php file

Edit /admin/reset-password.php to implement prepared statements with parameterized queries

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting the reset-password endpoint

Add WAF rule: Block requests to /admin/reset-password.php containing SQL keywords in email parameter

🧯 If You Can't Patch

Restrict access to /admin/reset-password.php using IP whitelisting or authentication requirements
Implement database-level protections: restrict application database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Test the /admin/reset-password.php endpoint with SQL injection payloads in the email parameter (e.g., email=test' OR '1'='1)

Check Version:

Check CMS version in admin panel or readme files; look for 'Company Website CMS 1.0'

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes; successful fixes should return error messages or no database manipulation

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple failed password reset attempts with SQL-like patterns in email parameter
Requests to /admin/reset-password.php with special characters in email

Network Indicators:

HTTP POST requests to /admin/reset-password.php containing SQL keywords (UNION, SELECT, INSERT, etc.)
Unusual database query patterns from web server IP

SIEM Query:

source="web_logs" AND uri_path="/admin/reset-password.php" AND (email="*'*" OR email="*--*" OR email="*UNION*" OR email="*SELECT*")

📊 Metadata

CVE ID: CVE-2025-13560

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (13.8th percentile)

Published: November 23, 2025

Last Updated: November 26, 2025

🔗 References

https://github.com/miwangdemaoxianzhe/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.333325 Permissions Required,VDB Entry
https://vuldb.com/?id.333325 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.696637 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product
https://github.com/miwangdemaoxianzhe/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13560, you might also want to check these: