CVE-2025-15073 – CVE-2025-15073 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-15073?

CVE-2025-15073 has a CVSS score of 7.3 (HIGH). CVE-2025-15073 is an SQL injection vulnerability in itsourcecode Online Frozen Foods Ordering System 1.0 that allows remote attackers to execute arbitrary SQL commands via the Name parameter in /contact_us.php. This affects all deployments of version 1.0 of this specific ordering system software. Attackers can potentially access, modify, or delete database content without authentication.

📋 TL;DR

CVE-2025-15073 is an SQL injection vulnerability in itsourcecode Online Frozen Foods Ordering System 1.0 that allows remote attackers to execute arbitrary SQL commands via the Name parameter in /contact_us.php. This affects all deployments of version 1.0 of this specific ordering system software. Attackers can potentially access, modify, or delete database content without authentication.

💻 Affected Systems

Products:

itsourcecode Online Frozen Foods Ordering System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability is in the contact_us.php file which is typically publicly accessible.

📦 What is this software?

Online Frozen Foods Ordering System by Itsourcecode

View all CVEs affecting Online Frozen Foods Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive customer data (PII, payment information), administrative credential theft, and potential server takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Data exfiltration of customer information, order history, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection, though system may still be vulnerable to other attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries and input validation in /contact_us.php, or migrate to a different ordering system.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the Name parameter in contact_us.php

Modify contact_us.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block SQL injection patterns in POST requests to /contact_us.php

🧯 If You Can't Patch

Implement network segmentation to isolate the ordering system from sensitive databases
Deploy intrusion detection systems to monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test the Name parameter in /contact_us.php with SQL injection payloads like ' OR '1'='1

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts from single IP
Database error messages containing SQL syntax

Network Indicators:

POST requests to /contact_us.php with SQL keywords in parameters
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/contact_us.php" AND (payload="' OR" OR payload="UNION" OR payload="SELECT")

📊 Metadata

CVE ID: CVE-2025-15073

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: December 24, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/24ggee/CVE/issues/1 Exploit,Issue Tracking
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.338330 Permissions Required,VDB Entry
https://vuldb.com/?id.338330 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.721321 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15073, you might also want to check these: