CVE-2025-0173 · A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as critical.

01 · The Real Story

This is a loose floorboard in a side hallway, not the front door blown off its hinges

CVE-2025-0173 is a SQL injection flaw in SourceCodester Online Eyewear Shop 1.0 at orders/view_order.php, where the id parameter is not safely handled before reaching the database. The product page describes this as a free PHP/MySQL source-code project for educational use, and the vulnerable path sits in the customer order area, which strongly suggests the practical attack path usually starts from a logged-in client account or open self-registration rather than true unauthenticated internet spray.

The vendor's MEDIUM 6.3 rating is basically right in spirit, even if the word *critical* appears in some mirrored descriptions. Yes, SQLi is always worth respecting, and public exploit references exist; but the real-world pressure is reduced by the product's very small enterprise footprint, the likely low-privilege/customer-context prerequisite, the absence of KEV or campaign evidence, and the fact that the documented impact is limited to low confidentiality, integrity, and availability loss rather than clean RCE.

"Real SQLi, but in a niche educational PHP app with low observed exploitation pressure and likely customer-level access friction"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a live instance

An attacker first has to locate a deployment of this specific SourceCodester project, usually by crawling for known page structure, branding, or exposed paths under /oews/. Commodity tooling is enough here; httpx, nuclei, or even search-engine indexing can do the discovery work if the site is public.

Conditions required:

The app is internet-exposed
The deployment is actually this SourceCodester codebase or a close fork
The order functionality is reachable from the web

Where this breaks in practice:

This is a niche educational project, not a common enterprise platform
There is no strong, widely used internet fingerprint for reliable mass discovery
Many copies are likely lab, student, or dead-end installs rather than maintained production apps

Detection/coverage: ASM/EASM platforms and web inventories may miss this unless you fingerprint the app by path/title/content. Generic vuln scanners may identify SQLi only if they are authenticated or if registration is open.

STEP 02

Get into customer context

The product documentation says customers must register before they can place orders and track them. In practice, an attacker likely uses a throwaway self-registered account or stolen low-privilege credentials, with Burp Suite or a browser session to reach the order-view workflow.

Conditions required:

Customer registration is enabled or valid low-privilege credentials are available
The attacker can access the order list or direct order-view endpoint

Where this breaks in practice:

If registration is closed, invite-only, or moderated, this becomes a materially narrower target
MFA is uncommon on apps like this, but account creation controls can still slow the path
Some deployments may restrict order pages to the owning account with additional server-side checks

Detection/coverage: IAM logs, registration logs, and web access logs can show suspicious low-volume account creation and rapid access to order-view endpoints.

STEP 03

Exploit the id parameter with sqlmap or Burp

Once the endpoint is reachable, the attacker feeds crafted SQL into orders/view_order.php?id=... to alter the backend query. sqlmap is the obvious weaponized tool here; Burp Repeater/Intruder works too for manual validation and targeted extraction.

Conditions required:

The backend query truly concatenates the id parameter
The application or WAF does not normalize/block the payload
The database connection returns useful errors or inferable differences

Where this breaks in practice:

Basic integer casting, prepared statements, or even crude WAF signatures will break most copy-paste exploitation
Blind-only SQLi raises operator time and lowers mass-exploitation value
DB permissions may constrain what can actually be read or changed

Detection/coverage: DAST can catch this if it can reach the endpoint with auth. WAF/IDS often flags classic SQLi strings, but custom payloads or blind techniques can slip past noisy rule sets.

STEP 04

Pull order data or tamper with app records

If exploitation succeeds, the most realistic outcomes are reading order/customer data, enumerating schema, or modifying application records reachable by the app's DB account. This is not the same as turnkey host takeover; the blast radius is usually bounded by whatever the web app's database user can touch.

Conditions required:

The DB user has read/write access beyond the single row being viewed
Relevant business or customer data is stored in the same database

Where this breaks in practice:

Many low-end PHP apps still use over-privileged DB accounts, but not all do
There is no authoritative evidence here of file-write, stacked-query RCE, or OS command execution
Impact remains app/data-centric unless other weaknesses are chained

Detection/coverage: Database activity monitoring, unusual query bursts, order-table reads outside normal patterns, and WAF telemetry can all surface successful exploitation attempts.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in the consulted sources, and not listed in CISA KEV as of 2026-06-02. This materially lowers urgency versus high-noise perimeter CVEs.
PoC availability	Public exploit availability is referenced by NVD, OpenCVE, and OSV via a GitHub link to `listlonely/cve/blob/main/sql.md`; the referenced GitHub content appears unavailable now, so treat this as historical public PoC evidence, not a currently maintained exploit pack.
EPSS	Provided intel says 0.00143 (~0.143% 30-day exploitation probability). That is low threat pressure, consistent with a niche app and no KEV/campaign reporting. Percentile was not authoritatively verified during this assessment.
KEV status	No. The CVE is absent from the CISA Known Exploited Vulnerabilities catalog as checked on 2026-06-02.
CVSS interpretation	Vendor CVSS v3.1 is 6.3 / MEDIUM: `AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`. The decisive limiter is `PR:L`: the documented baseline assumes the attacker already has low-privileged app access.
Affected versions	SourceCodester Online Eyewear Shop 1.0 only, per NVD/OpenCVE/OSV. No broader maintained branch or package ecosystem mapping was found.
Fixed version	No authoritative patched version found in the consulted sources. Treat this as custom code remediation or application retirement/replacement, not a straightforward vendor package update. Distro backports: not applicable.
Exposure reality	This is a free downloadable educational PHP/MySQL project from SourceCodester, not a mainstream enterprise platform. That sharply narrows likely population, even though any live deployment is still web-reachable by design.
Scanner and WAF coverage	This should be detectable by authenticated DAST and often blocked by generic SQLi WAF rules; Indusface's January 2025 report lists coverage for this issue. Unauthenticated perimeter scanning may miss it if the order page requires session state.
Disclosure and credit	Published 2025-01-02. OpenCVE mirrors credit to `wejieqin` / VulDB for the submission trail.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (5.2/10)

The single biggest downward pressure is that the documented attack path appears to sit in the customer order area and the vendor vector already marks it as low-privilege required. That means this is usually a post-registration / post-credential web-app data attack in a niche codebase, not a broad unauthenticated perimeter break with proven operational exploitation.

HIGH The flaw class and affected endpoint are real

MEDIUM The practical prerequisite is customer-level access or open self-registration

HIGH Threat pressure is low relative to enterprise patch queues

Why this verdict

Started at vendor 6.3 MEDIUM because this is remote SQLi with public exploit references, but the published vector already bakes in PR:L rather than unauthenticated reach.
Downgrade pressure: attacker position is not true pre-auth internet. Requiring authenticated remote access or open registration implies a prior stage and immediately cuts reachable population compared with perimeter RCEs and pre-auth SQLi.
Downgrade pressure: exposure population is tiny. This is a SourceCodester educational PHP project, not a ubiquitous enterprise product, so even a valid bug lands on far fewer real targets.
Downgrade pressure: low observed exploitation evidence. No KEV listing, no campaign reporting in the consulted sources, and a very low EPSS all argue against emergency-tier handling.
Floor on severity: public exploit lineage and internet-facing data path still matter. If you do run this app, exploitation is technically straightforward enough to expose or tamper with customer/order data.

Why not higher?

This is not supported by current evidence as a broad, unauthenticated, internet-scale compromise vector. The likely need for customer-level access or open registration, combined with a niche deployment base and no active exploitation signal, keeps it out of HIGH.

Why not lower?

It is still a genuine SQL injection on a web-exposed route, with public exploit references and low technical complexity once the endpoint is reachable. If the application is actually in use, dismissing it as backlog noise would understate the risk to customer and order data.

05 · Compensating Control

What to do — in priority order.

Put the order route behind stronger access controls — Require authenticated access to customer order pages and, where possible, restrict direct object access checks to the logged-in owner. For a MEDIUM finding there is no mitigation SLA, but if this app is public-facing you should still harden the route during normal remediation planning rather than waiting for a code rewrite.
Apply a targeted WAF rule for SQLi on view_order.php — Block or challenge requests to orders/view_order.php with SQL metacharacters, tautologies, comments, or anomalous id values. This is a practical containment step when no vendor patch is documented; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but WAFing the endpoint lowers exposure now.
Reduce database privileges for the app account — Constrain the application's DB user to the minimum tables and operations needed so a successful injection cannot become whole-database theft or tampering. This does not fix the bug, but it cuts blast radius while you execute remediation within the 365-day window for a MEDIUM issue.
Monitor for abuse on the order endpoint — Alert on repeated requests to view_order.php with odd id patterns, SQL keywords, or rapid sequential enumeration. This is especially useful if self-registration is enabled and gives you a detection backstop while remediation is scheduled.

What doesn't work

Relying on network segmentation alone does not help if the app is intentionally internet-facing.
MFA for admins is not the decisive control here, because the likely prerequisite is low-privileged customer access rather than admin takeover.
TLS/HTTPS protects transport, not unsafe query construction; encrypted SQLi is still SQLi.
EDR on the web server may never fire if the attacker stays inside application/database boundaries and does not execute host-level payloads.

06 · Verification

Crowdsourced verification payload.

Run this on the target web server that hosts the SourceCodester codebase, not from an auditor workstation. Invoke it as sudo bash verify_cve_2025_0173.sh /var/www/html/oews with read access to the application files; root is not strictly required if the web root is readable.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify_cve_2025_0173.sh
# Check SourceCodester Online Eyewear Shop for likely exposure to CVE-2025-0173
# Usage: bash verify_cve_2025_0173.sh /path/to/oews
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

APP_ROOT="${1:-}"
if [[ -z "$APP_ROOT" ]]; then
  echo "UNKNOWN - usage: bash $0 /path/to/oews"
  exit 2
fi

TARGET="$APP_ROOT/orders/view_order.php"
if [[ ! -f "$TARGET" ]]; then
  echo "UNKNOWN - file not found: $TARGET"
  exit 2
fi

content="$(tr '\n' ' ' < "$TARGET")"

# Heuristics:
# - vulnerable if the file references GET id and appears to build SQL unsafely
# - patched if it casts the id to int or uses prepared statements / bound params

has_get_id=0
has_prepare=0
has_bind=0
has_int_cast=0
has_sql_concat=0

grep -Eq "\$_GET\[['\"]id['\"]\]" "$TARGET" && has_get_id=1
grep -Eq "prepare\s*\(" "$TARGET" && has_prepare=1
grep -Eq "bind_param\s*\(|bindValue\s*\(|execute\s*\(" "$TARGET" && has_bind=1
grep -Eq "intval\s*\(\s*\$_GET\[['\"]id['\"]\]\s*\)|\(int\)\s*\$_GET\[['\"]id['\"]\]" "$TARGET" && has_int_cast=1

# crude concat patterns common in PHP/MySQL sample apps
if grep -Eq "(SELECT|UPDATE|DELETE).*\.(\s*)\$_GET\[['\"]id['\"]\]" "$TARGET"; then
  has_sql_concat=1
fi
if grep -Eq "(SELECT|UPDATE|DELETE).*(id|order_id)\s*=\s*['\"]?\s*\$[_A-Za-z][A-Za-z0-9_]*" "$TARGET"; then
  has_sql_concat=1
fi

if [[ $has_get_id -eq 1 && $has_sql_concat -eq 1 && $has_prepare -eq 0 && $has_bind -eq 0 && $has_int_cast -eq 0 ]]; then
  echo "VULNERABLE - likely unsafe use of GET id in $TARGET"
  exit 1
fi

if [[ $has_prepare -eq 1 || $has_bind -eq 1 || $has_int_cast -eq 1 ]]; then
  echo "PATCHED - input appears constrained or parameterized in $TARGET"
  exit 0
fi

echo "UNKNOWN - manual review required for $TARGET"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: first verify whether you even run this code anywhere public; if you do not, close the ticket as not-applicable. If you do run it, keep it in the MEDIUM lane: there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA, but because no authoritative vendor fixed version was found, your remediation task is to apply a local code fix, replace the app, or retire internet exposure within that window; meanwhile, add a route-specific WAF rule and tighten customer-order access controls during normal engineering cycles.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.