CVE-2025-15165 – CVE-2025-15165 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-15165?

CVE-2025-15165 has a CVSS score of 7.3 (HIGH). CVE-2025-15165 is an SQL injection vulnerability in itsourcecode Online Cake Ordering System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /updatecustomer.php?action=edit. This affects all deployments of version 1.0 of this software. Successful exploitation could lead to data theft, modification, or deletion.

📋 TL;DR

CVE-2025-15165 is an SQL injection vulnerability in itsourcecode Online Cake Ordering System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /updatecustomer.php?action=edit. This affects all deployments of version 1.0 of this software. Successful exploitation could lead to data theft, modification, or deletion.

💻 Affected Systems

Products:

itsourcecode Online Cake Ordering System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The vulnerability exists in the default installation.

📦 What is this software?

Online Cake Ordering System by Admerc

View all CVEs affecting Online Cake Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data destruction, and potential server takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to customer data, order manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection via ID parameter is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify /updatecustomer.php to validate and sanitize the ID parameter using prepared statements.

Replace raw SQL queries with parameterized queries using PDO or mysqli prepared statements.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting the ID parameter.

Add WAF rule: Block requests with SQL keywords in ID parameter of /updatecustomer.php

🧯 If You Can't Patch

Restrict access to /updatecustomer.php to authenticated users only
Implement network segmentation to isolate the vulnerable system from critical databases

🔍 How to Verify

Check if Vulnerable:

Test /updatecustomer.php?action=edit&ID=1' with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in admin panel or source code comments

Verify Fix Applied:

Test with same payloads and verify no SQL errors or unexpected behavior occurs

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in web server logs
Unusual database queries from web application user
Multiple failed login attempts or parameter manipulation

Network Indicators:

HTTP requests to /updatecustomer.php with SQL keywords in parameters
Unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="/updatecustomer.php" AND (param="ID" AND value MATCHES "'.*OR.*|'.*AND.*|'.*UNION.*")

📊 Metadata

CVE ID: CVE-2025-15165

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: December 29, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/LaneyYu/cve/issues/4 Exploit,Issue Tracking
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.338544 Permissions Required,VDB Entry
https://vuldb.com/?id.338544 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.721106 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15165, you might also want to check these: