← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-0176 · CWE-74 · Disclosed 2025-01-03

A vulnerability was found in code-projects Point of Sales and Inventory Management System 1

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a lockpick for a side door, not a skeleton key to the whole building

CVE-2025-0176 is a SQL injection flaw in code-projects Point of Sales and Inventory Management System 1.0, specifically in /user/add_cart.php via the id and qty parameters. The public PoC targets the app's user workflow and shows a crafted POST to the cart endpoint, which means the practical impact is app-database reads or tampering inside this one PHP application rather than instant host takeover.

The vendor's MEDIUM 6.3 is closer to reality than NVD's later HIGH 7.5 enrichment. The decisive issue is friction: the vulnerable endpoint sits under /user/, the PoC includes a live PHPSESSID, and this project is a downloadable educational PHP app typically run under XAMPP/WAMP or a small LAMP stack, not a broadly managed enterprise platform. That narrows reachable population and usually implies the attacker already has app access.

"Real SQLi, but it likely needs a logged-in app user on a niche PHP project with limited enterprise blast radius."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Get an application session

The attacker first needs a valid session for the POS app or another way to hit the endpoint in its expected state. The public PoC shows a PHPSESSID cookie and a same-origin AJAX request pattern, which strongly suggests this is not a clean unauthenticated-internet exploit chain. A common weaponized option here is Burp Suite or a browser session replay rather than a one-packet RCE.
Conditions required:
  • Reachability to the web app
  • Valid low-privilege application access or a stolen session
  • The app is actually deployed, not just sitting in a dev ZIP
Where this breaks in practice:
  • Login requirement is a major down-pressure versus unauthenticated SQLi
  • Many deployments are likely lab, demo, or very small-business installs rather than internet-exposed enterprise services
  • No evidence this endpoint is a standard internet-scale fingerprint in Shodan/Censys
Detection/coverage: Authenticated web scanning may find it; unauthenticated perimeter scanners can miss it if the app gates /user/ behind login.
STEP 02

Inject through add_cart.php

Using sqlmap, Burp Repeater, or a hand-crafted POST, the attacker tampers with id or qty sent to /user/add_cart.php. Because the flaw is classic server-side SQL injection, exploitation complexity is low once the request shape is known. The likely outcome is database query manipulation inside the shopping-cart or product-selection flow.
Conditions required:
  • The vulnerable 1.0 code path is present
  • Request reaches the PHP app without server-side validation or parameterization
  • Backend database account has enough rights to read or alter relevant tables
Where this breaks in practice:
  • WAFs or generic SQLi signatures may catch noisy payloads
  • Some installs may break under modern PHP before reaching production use
  • Database permissions may limit the result to this app's tables
Detection/coverage: DAST with authenticated crawl should have good coverage. Network IDS/WAF may flag union/error-based payloads; blind/time-based probes are easier to miss.
STEP 03

Abuse app data and business logic

From there, the attacker can typically read rows, manipulate cart or inventory records, and potentially extract credentials stored in the app database. sqlmap --dump is the usual weaponized follow-on. In the worst case, overprivileged DB accounts or reused secrets let the attacker move beyond the app, but that is environmental, not inherent to this CVE.
Conditions required:
  • Useful data exists in the POS database
  • DB credentials permit reads or writes beyond the immediate cart action
  • There are weakly segregated secrets or reused passwords
Where this breaks in practice:
  • Blast radius is usually the application database, not the operating system
  • No evidence of turnkey post-exploitation chaining specific to this product
  • Small standalone deployments often have little lateral value beyond local business data
Detection/coverage: Database logs, WAF alerts, and unusual cart/inventory mutations are the best signals. EDR will usually not help much unless the attack chains into OS-level execution.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo CISA KEV listing found, and I found no trustworthy reporting of active campaigns abusing this CVE specifically.
Public PoCYes. A public GitHub Gist by Masamune documents the vulnerable file, parameters, and a sample POST request: PoC.
EPSS0.00202 (~0.202%), which is low and consistent with a niche app plus no visible exploitation momentum.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS disagreementThe CNA/VulDB score is 6.3 MEDIUM with PR:L, while NVD later enriched it to 7.5 HIGH with PR:N. The public PoC's session cookie is a practical hint that the CNA view is more realistic here.
Affected versionsAuthoritative records point to Point of Sales and Inventory Management System 1.0 only.
Fixed versionsI found no vendor-published patched version and no distro backport guidance. Treat this as no confirmed fix available from the upstream project.
Exposure realityThis appears to be a downloadable educational PHP/XAMPP-style project rather than a mainstream enterprise product. I found no reliable internet-scale fingerprint or exposure count for this exact app, so exposure is unknown but likely low.
Disclosure datePublished on 2025-01-03 in the CVE record; NVD shows publication on 2025-01-02/03 depending on timezone display.
Reporter / researcherThe PoC is attributed to Masamune; the CVE was assigned/published through VulDB.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (4.8/10)

The single biggest reason this stays out of HIGH is the likely authenticated-app-user prerequisite, which turns this into a post-login web-app abuse case rather than a broad unauthenticated internet worm candidate. The vulnerability is real and public, but the reachable population and blast radius are both much narrower than the raw term *SQL injection* suggests.

HIGH Public PoC exists and the vulnerable endpoint is clearly identified
MEDIUM Authentication requirement inferred from PoC and pathing, despite NVD/CNA scoring disagreement
MEDIUM Enterprise exposure is probably low, but internet-scale counts are not well established

Why this verdict

  • Downgrade pressure: likely requires a logged-in app user. The endpoint is /user/add_cart.php, and the public PoC includes a PHPSESSID, which is a strong practical signal that exploitation usually starts *after* the attacker has valid app access or a stolen session.
  • Downgrade pressure: niche product and small exposure population. This is a downloadable PHP project intended for XAMPP/WAMP-style deployment and educational use, not a common enterprise platform with massive internet-facing footprint.
  • Upgrade pressure: public exploitability is real. Once an attacker has the right position, the bug is straightforward SQLi with low technical complexity and normal database confidentiality/integrity impact.

Why not higher?

I am not scoring this HIGH because the attack path appears to require more than just internet reachability. Requiring authenticated application access dramatically cuts the number of viable targets and means the attacker is already past the front door. I also found no KEV entry, no active exploitation reporting, and no evidence this app has broad enterprise prevalence.

Why not lower?

I am not dropping this to LOW or IGNORE because it is still a real SQL injection with a public PoC and a defined vulnerable endpoint. If your organization actually runs this app, a low-privilege user or session thief can likely read or tamper with POS data, which is materially worse than cosmetic or theoretical bugs.

05 · Compensating Control

What to do — in priority order.

  1. Move the app behind trusted access — Put the POS app behind VPN, SSO gateway, reverse-proxy ACLs, or at minimum IP allowlisting so /user/ is not broadly reachable. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but reducing exposure now is cheap risk reduction if the app must stay online.
  2. Constrain database privileges — Ensure the app's DB account cannot administer the server, write arbitrary files, or read unrelated schemas. This limits the SQLi blast radius to app data even if the endpoint remains vulnerable during the 365-day remediation window.
  3. Add focused WAF rules — Deploy targeted SQLi signatures on POSTs to /user/add_cart.php, especially around id and qty, to catch opportunistic exploitation and scanning. For MEDIUM, use this as defense-in-depth rather than an emergency stopgap.
  4. Hunt for stale sessions and weak accounts — Because the likely hard requirement is app access, rotate weak/default credentials, expire dormant users, and shorten session lifetimes. That directly attacks the most important prerequisite in this exploit chain.
What doesn't work
  • Relying on EDR alone does not help much because the primary abuse happens inside normal web and database request paths.
  • A generic network perimeter scanner is not enough if the flaw only shows up after login or requires authenticated workflow context.
  • Assuming 'it's only an internal app' is not a control; any attacker with foothold, VPN access, or stolen user credentials can still use it.
06 · Verification

Crowdsourced verification payload.

Run this on the target Linux/PHP web host that contains the application files, not from an auditor workstation. Invoke it as bash verify-cve-2025-0176.sh /var/www/html/PISP or point it at the app root; it needs read access to the application directory only, not root.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-cve-2025-0176.sh
# Heuristic verifier for CVE-2025-0176 in code-projects Point of Sales and Inventory Management System 1.0
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

APP_ROOT="${1:-}"
if [[ -z "$APP_ROOT" ]]; then
  echo "UNKNOWN: missing application path argument"
  echo "Usage: bash verify-cve-2025-0176.sh /path/to/app"
  exit 2
fi

if [[ ! -d "$APP_ROOT" ]]; then
  echo "UNKNOWN: path does not exist: $APP_ROOT"
  exit 2
fi

TARGET="$APP_ROOT/user/add_cart.php"
README1="$APP_ROOT/Readme.txt"
README2="$APP_ROOT/README.txt"

if [[ ! -f "$TARGET" ]]; then
  echo "UNKNOWN: target file not found: $TARGET"
  exit 2
fi

# Normalize line endings for matching
TMPFILE="$(mktemp)"
tr -d '\r' < "$TARGET" > "$TMPFILE"

is_pos_project=0
if [[ -f "$README1" ]] && grep -Eqi 'point of sales|inventory management|PISP|posales' "$README1"; then
  is_pos_project=1
elif [[ -f "$README2" ]] && grep -Eqi 'point of sales|inventory management|PISP|posales' "$README2"; then
  is_pos_project=1
elif grep -Eqi 'posales|add_cart|cart=1|mysql_query|SELECT|FROM' "$TMPFILE"; then
  is_pos_project=1
fi

# Heuristics for vulnerable code:
# - file exists at expected path
# - app appears to be the POS project
# - file contains direct use of request/body vars and legacy SQL building functions/patterns
has_request_vars=0
has_sql_usage=0
has_parameterization=0

if grep -Eqi '\$_(POST|GET|REQUEST)\s*\[[^]]*(id|qty)[^]]*\]' "$TMPFILE"; then
  has_request_vars=1
fi

if grep -Eqi 'mysql_query|mysqli_query|SELECT|INSERT|UPDATE' "$TMPFILE"; then
  has_sql_usage=1
fi

if grep -Eqi 'prepare\s*\(|bind_param\s*\(|PDO\s*::\s*prepare|->prepare\s*\(' "$TMPFILE"; then
  has_parameterization=1
fi

rm -f "$TMPFILE"

if [[ "$is_pos_project" -eq 1 && "$has_request_vars" -eq 1 && "$has_sql_usage" -eq 1 && "$has_parameterization" -eq 0 ]]; then
  echo "VULNERABLE: add_cart.php present with request-driven SQL patterns and no obvious parameterization"
  exit 1
fi

if [[ "$has_parameterization" -eq 1 ]]; then
  echo "PATCHED: add_cart.php shows parameterized query patterns"
  exit 0
fi

echo "UNKNOWN: app found but code pattern is inconclusive; manual review of $TARGET required"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: verify whether this PHP project is actually deployed anywhere outside dev/test, and if it is, check whether /user/add_cart.php is reachable only to trusted users. For a MEDIUM verdict, the noisgate mitigation SLA says no mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is ≤ 365 days. In practice, if no fixed upstream build exists, either retire the app, put it behind trusted access, or patch the code locally during your normal web-app backlog cycle rather than treating this like an emergency internet-edge event.

Sources

  1. NVD CVE-2025-0176
  2. CVE Record / OpenCVE mirror
  3. Public PoC Gist by Masamune
  4. Code-Projects product page
  5. Related Code-Projects download page
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS documentation
  8. CVE Details entry with score history and references
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.