CVE-2025-6821 – CVE-2025-6821 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-6821?

CVE-2025-6821 has a CVSS score of 7.3 (HIGH). CVE-2025-6821 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the /php_action/createOrder.php file. This affects all users running the vulnerable version of this inventory management software. Successful exploitation could lead to data theft, data manipulation, or complete system compromise.

📋 TL;DR

CVE-2025-6821 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the /php_action/createOrder.php file. This affects all users running the vulnerable version of this inventory management software. Successful exploitation could lead to data theft, data manipulation, or complete system compromise.

💻 Affected Systems

Products:

code-projects Inventory Management System

Versions: 1.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0 regardless of configuration. The vulnerability is in the core application code.

📦 What is this software?

Inventory Management System by Code Projects

View all CVEs affecting Inventory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, data destruction, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive inventory data, customer information, and business records, potentially leading to data theft or manipulation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative inventory management systems or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries in createOrder.php

Modify /php_action/createOrder.php to use prepared statements with parameterized queries instead of direct SQL concatenation

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block SQL injection patterns targeting /php_action/createOrder.php

🧯 If You Can't Patch

Isolate the system on a segmented network with strict access controls
Implement database-level protections: least privilege accounts, stored procedures, and query logging

🔍 How to Verify

Check if Vulnerable:

Check if /php_action/createOrder.php exists and contains unsanitized user input in SQL queries

Check Version:

Check application version in configuration files or about pages

Verify Fix Applied:

Test with SQL injection payloads to confirm they are properly blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or unusual order creation patterns
SQL error messages in application logs

Network Indicators:

HTTP requests to /php_action/createOrder.php with SQL injection patterns
Unusual database traffic from web server

SIEM Query:

source="web_logs" AND uri="/php_action/createOrder.php" AND (payload="' OR " OR "--" OR "#" OR "UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE")

📊 Metadata

CVE ID: CVE-2025-6821

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (12.4th percentile)

Published: June 28, 2025

Last Updated: July 1, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/Dav1d-safe/cve/issues/3 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.314259 Permissions Required,VDB Entry
https://vuldb.com/?id.314259 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.602640 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6821, you might also want to check these: