CVE-2025-14251 – CVE-2025-14251 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-14251?

CVE-2025-14251 has a CVSS score of 7.3 (HIGH). CVE-2025-14251 is an SQL injection vulnerability in code-projects Online Ordering System 1.0 that allows attackers to manipulate database queries through the admin login username parameter. This enables potential authentication bypass, data theft, or system compromise. All deployments of version 1.0 with the vulnerable admin component are affected.

📋 TL;DR

CVE-2025-14251 is an SQL injection vulnerability in code-projects Online Ordering System 1.0 that allows attackers to manipulate database queries through the admin login username parameter. This enables potential authentication bypass, data theft, or system compromise. All deployments of version 1.0 with the vulnerable admin component are affected.

💻 Affected Systems

Products:

code-projects Online Ordering System

Versions: 1.0

Operating Systems: All platforms running PHP/MySQL web servers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /admin/ directory component specifically; any installation with this path accessible is vulnerable

📦 What is this software?

Online Ordering System by Fabian

View all CVEs affecting Online Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including database takeover, credential theft, and potential lateral movement to connected systems

🟠

Likely Case

Authentication bypass leading to unauthorized admin access, data exfiltration, and potential website defacement

🟢

If Mitigated

Limited impact with proper input validation and WAF protection, potentially only error messages exposed

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication against exposed admin interfaces

🏢 Internal Only: MEDIUM - Still vulnerable but attack surface reduced to internal network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit disclosed on GitHub with specific payload examples; SQL injection is well-understood attack vector

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes with parameterized queries

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in admin login requests

Admin Path Restriction

linux

Restrict access to /admin/ directory using IP whitelisting or authentication

# Apache: Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: allow 192.168.1.0/24; deny all;

🧯 If You Can't Patch

Implement network segmentation to isolate the vulnerable system from critical assets
Enable detailed logging and monitoring for SQL injection attempts on admin login endpoints

🔍 How to Verify

Check if Vulnerable:

Test admin login with SQL injection payloads like ' OR '1'='1 in username field and observe database errors or unexpected behavior

Check Version:

Check source code or documentation for version 1.0 references; no built-in version command available

Verify Fix Applied:

After implementing fixes, attempt SQL injection payloads and verify they are blocked or properly sanitized

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in web server logs
Multiple failed login attempts with unusual characters
Admin login attempts from unexpected IPs

Network Indicators:

HTTP POST requests to /admin/ with SQL keywords in parameters
Unusual database query patterns from web server

SIEM Query:

source="web_server" AND (url_path="/admin/" AND (username="*'*" OR username="*OR*" OR username="*--*"))

📊 Metadata

CVE ID: CVE-2025-14251

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: December 8, 2025

Last Updated: December 9, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/zzb1388/cve/issues/95 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.334761 Permissions Required,VDB Entry
https://vuldb.com/?id.334761 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702467 Third Party Advisory,VDB Entry
https://github.com/zzb1388/cve/issues/95 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14251, you might also want to check these: