CVE-2025-14248 – CVE-2025-14248 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-14248?

CVE-2025-14248 has a CVSS score of 7.3 (HIGH). CVE-2025-14248 is an SQL injection vulnerability in Simple Shopping Cart 1.0's admin login page that allows attackers to execute arbitrary SQL commands. This affects all installations of Simple Shopping Cart 1.0 with the vulnerable /adminlogin.php file. Attackers can potentially gain administrative access, steal data, or compromise the entire system.

📋 TL;DR

CVE-2025-14248 is an SQL injection vulnerability in Simple Shopping Cart 1.0's admin login page that allows attackers to execute arbitrary SQL commands. This affects all installations of Simple Shopping Cart 1.0 with the vulnerable /adminlogin.php file. Attackers can potentially gain administrative access, steal data, or compromise the entire system.

💻 Affected Systems

Products:

Simple Shopping Cart

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the default /adminlogin.php file are vulnerable. No special configuration required.

📦 What is this software?

Simple Shopping Cart by Fabian

View all CVEs affecting Simple Shopping Cart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including database takeover, data exfiltration, and potential remote code execution leading to full server control.

🟠

Likely Case

Administrative account takeover, database manipulation, and sensitive data theft including customer information and payment details.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts.

🌐 Internet-Facing: HIGH - The vulnerability is in an admin login page that's typically internet-facing, and remote exploitation is confirmed possible.

🏢 Internal Only: MEDIUM - If the admin interface is restricted to internal networks only, risk is reduced but still significant for internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit is publicly available and SQL injection attacks are well-understood with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to supported e-commerce software or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and parameterized queries to adminlogin.php to prevent SQL injection

Edit adminlogin.php to use prepared statements with parameterized queries instead of direct string concatenation

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules

🧯 If You Can't Patch

Restrict access to /adminlogin.php using IP whitelisting or network segmentation
Implement strong authentication mechanisms and monitor for suspicious login attempts

🔍 How to Verify

Check if Vulnerable:

Check if /adminlogin.php exists and contains unsanitized admin_username parameter usage. Test with SQL injection payloads like ' OR '1'='1

Check Version:

Check the software version in configuration files or about pages, typically in config.php or similar

Verify Fix Applied:

Test the admin login with SQL injection payloads to ensure they're rejected or properly handled

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple failed login attempts with SQL-like patterns
Successful admin logins from unusual IPs

Network Indicators:

HTTP POST requests to /adminlogin.php containing SQL keywords like UNION, SELECT, OR

SIEM Query:

source="web_server" AND (uri="/adminlogin.php" AND (request_body CONTAINS "' OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT"))

📊 Metadata

CVE ID: CVE-2025-14248

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: December 8, 2025

Last Updated: December 9, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/zzb1388/cve/issues/92 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.334758 Permissions Required,VDB Entry
https://vuldb.com/?id.334758 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702464 Third Party Advisory,VDB Entry
https://github.com/zzb1388/cve/issues/92 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14248, you might also want to check these: