CVE-2025-7167 – This critical SQL injection vulnerability in Re... (How to Fix)

Q: What is the severity of CVE-2025-7167?

CVE-2025-7167 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in Responsive Blog Site 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in category.php. Attackers can potentially read, modify, or delete database content. All installations of this specific version are affected.

📋 TL;DR

This critical SQL injection vulnerability in Responsive Blog Site 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in category.php. Attackers can potentially read, modify, or delete database content. All installations of this specific version are affected.

💻 Affected Systems

Products:

Responsive Blog Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific 1.0 version from code-projects.org. Custom installations may vary.

📦 What is this software?

Responsive Blog Site by Fabian

View all CVEs affecting Responsive Blog Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure, authentication bypass, or data manipulation affecting blog content and user data.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub. SQL injection via ID parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to category.php to sanitize ID input

Edit category.php to add: if(!is_numeric($_GET['ID'])) { die('Invalid input'); }

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

ModSecurity rule: SecRule ARGS:ID "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with strict input filtering
Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test category.php with SQL injection payload: category.php?ID=1' OR '1'='1

Check Version:

Check source code or documentation for version 1.0 reference

Verify Fix Applied:

Test with same payload after fixes - should return error or sanitized response

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web logs
Multiple requests to category.php with special characters in ID parameter

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) in URL parameters

SIEM Query:

source="web.log" AND (url="*category.php*" AND (url="*'*" OR url="*--*" OR url="*UNION*"))

📊 Metadata

CVE ID: CVE-2025-7167

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (12th percentile)

Published: July 8, 2025

Last Updated: July 9, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/yihaofuweng/cve/issues/8 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.315106 Permissions Required
https://vuldb.com/?id.315106 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.606487 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7167, you might also want to check these: