CVE-2025-15243 – CVE-2025-15243 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-15243?

CVE-2025-15243 has a CVSS score of 7.3 (HIGH). CVE-2025-15243 is an SQL injection vulnerability in Simple Stock System 1.0's login.php file that allows remote attackers to execute arbitrary SQL commands by manipulating the Username parameter. This affects all deployments of Simple Stock System 1.0, potentially compromising database integrity and confidentiality.

📋 TL;DR

CVE-2025-15243 is an SQL injection vulnerability in Simple Stock System 1.0's login.php file that allows remote attackers to execute arbitrary SQL commands by manipulating the Username parameter. This affects all deployments of Simple Stock System 1.0, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:

Simple Stock System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. No specific OS requirements mentioned.

📦 What is this software?

Simple Stock System by Carmelo

View all CVEs affecting Simple Stock System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, credential theft, and potential privilege escalation leading to system compromise.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, but still poses authentication bypass risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit published on GitHub, attack can be launched remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries and input validation for the Username field in login.php

Modify login.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on login endpoints

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input filtering
Implement network segmentation and restrict access to the database server

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads in Username field (e.g., ' OR '1'='1)

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and login.php uses parameterized queries

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in login attempts
Multiple failed login attempts with SQL keywords

Network Indicators:

SQL injection patterns in HTTP POST requests to /market/login.php

SIEM Query:

source="web_logs" AND uri="/market/login.php" AND (request_body CONTAINS "' OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT *")

📊 Metadata

CVE ID: CVE-2025-15243

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: December 30, 2025

Last Updated: February 24, 2026

🔗 References

https://code-projects.org/ Product
https://github.com/c13641462064-lgtm/sql_injection/issues/1 Exploit,Issue Tracking
https://vuldb.com/?ctiid.338633 Permissions Required,VDB Entry
https://vuldb.com/?id.338633 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.725689 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15243, you might also want to check these: