CVE-2025-14900 – CVE-2025-14900 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-14900?

CVE-2025-14900 has a CVSS score of 4.7 (MEDIUM). CVE-2025-14900 is an SQL injection vulnerability in CodeAstro Real Estate Management System 1.0 that allows attackers to manipulate database queries via the ID parameter in the /admin/userdelete.php endpoint. This affects all installations of version 1.0, potentially allowing unauthorized data access or modification. The vulnerability is remotely exploitable and a public exploit exists.

📋 TL;DR

CVE-2025-14900 is an SQL injection vulnerability in CodeAstro Real Estate Management System 1.0 that allows attackers to manipulate database queries via the ID parameter in the /admin/userdelete.php endpoint. This affects all installations of version 1.0, potentially allowing unauthorized data access or modification. The vulnerability is remotely exploitable and a public exploit exists.

💻 Affected Systems

Products:

CodeAstro Real Estate Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /admin/userdelete.php endpoint specifically. Requires PHP environment with database connectivity.

📦 What is this software?

Real Estate Management System by Codeastro

View all CVEs affecting Real Estate Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion of all real estate management data, potential privilege escalation to administrative access.

🟠

Likely Case

Unauthorized access to sensitive user data, modification of property listings, or deletion of user accounts.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place, potentially only error messages or failed queries.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects an administrative endpoint that may be exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain unauthorized access or modify system data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to the admin endpoint, which typically requires authentication. The SQL injection is straightforward parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://codeastro.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameter validation and sanitization to the userdelete.php file to prevent SQL injection.

Modify /admin/userdelete.php to validate and sanitize the ID parameter using prepared statements or proper escaping.

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection attempts targeting the userdelete.php endpoint.

Add WAF rule: Block requests to /admin/userdelete.php with suspicious SQL patterns in parameters

🧯 If You Can't Patch

Restrict access to /admin/userdelete.php endpoint using IP whitelisting or authentication requirements.
Implement database monitoring to detect unusual query patterns from the real estate management system.

🔍 How to Verify

Check if Vulnerable:

Test the /admin/userdelete.php endpoint with SQL injection payloads in the ID parameter (e.g., ID=1' OR '1'='1).

Check Version:

Check system documentation or configuration files for version information, typically in readme files or admin panels.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameter validation is properly implemented.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from the real estate system
Multiple failed login attempts followed by userdelete.php access
SQL error messages in application logs

Network Indicators:

HTTP requests to /admin/userdelete.php with SQL patterns in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/userdelete.php" AND (param="*sql*" OR param="*union*" OR param="*select*" OR param="*' OR*")

📊 Metadata

CVE ID: CVE-2025-14900

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 19, 2025

Last Updated: December 24, 2025

🔗 References

https://codeastro.com/ Product
https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/userdelete-sqli.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.337425 Permissions Required,VDB Entry
https://vuldb.com/?id.337425 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.715672 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14900, you might also want to check these: