CVE-2025-0199 · A vulnerability, which was classified as critical, was found in code-projects Point of Sales and Inventory Management System 1.0.

01 · The Real Story

This is a loose floorboard inside a back office, not the front door blown off

CVE-2025-0199 is an SQL injection in code-projects Point of Sales and Inventory Management System 1.0, specifically /user/minus_cart.php via the id parameter. The published PoC sends a POST request to that endpoint with a live PHPSESSID cookie, and the vulnerable route sits under the app's /user/ area; taken together, that strongly suggests an attacker needs an authenticated session to reach the bug, not just raw internet access. No vendor-fixed version or formal remediation release is published in the advisory trail I found; the vulnerable version remains 1.0 and public sources show no documented patched build.

Vendor severity at MEDIUM 6.3 is already closer to reality than the description's throwaway word '*critical*'. For enterprise prioritization, this drops further because the exploit chain is narrow: likely authenticated app access, a niche source-code PHP project rather than a broadly deployed enterprise platform, no KEV listing, no credible in-the-wild reporting, and an EPSS of 0.00086. Yes, it's SQLi and public PoC exists, but this looks like opportunistic post-login abuse against a small-exposure app, not something that should displace externally reachable pre-auth RCEs.

"Real bug, weak telemetry, but it looks like a low-priv app-user SQLi in a niche PHP project, not an enterprise fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach a live deployment

The attacker first has to find an organization actually running this specific code-projects PHP project, typically on XAMPP/WAMP-style hosting. This is not a mainstream enterprise product with predictable fingerprinting coverage, so target acquisition is the first real choke point. Common recon tooling would be httpx or Burp Suite against known PHP app paths and page titles, informed by the product page structure.

Conditions required:

The organization must actually deploy this exact Point of Sales and Inventory Management System 1.0 codebase
The app must be reachable from the attacker position

Where this breaks in practice:

Product appears to be a downloadable educational/source-code project, not a standard enterprise platform
I found no meaningful public internet-scale exposure telemetry for this CVE or product
Many deployments are likely local/lab/internal rather than internet-exposed

Detection/coverage: Generic web discovery scanners may find the app if reachable, but product-specific plugin coverage is likely weak.

STEP 02

Obtain an authenticated session

The PoC published by Masamune includes a PHPSESSID cookie and targets /user/minus_cart.php, which indicates the vulnerable function is likely behind login. In practice the attacker needs valid low-privilege application access first, whether by self-registration, credential stuffing, reused passwords, or prior compromise. Tools here are ordinary web testing tooling such as Burp Suite plus commodity credential attacks, not a one-shot unauthenticated exploit.

Conditions required:

A valid application user account or hijacked session
Session handling that allows the attacker to stay authenticated

Where this breaks in practice:

This is post-auth if the PoC and route semantics reflect real access controls
SSO, MFA, IP allowlisting, or no external login page materially cut reachable population
If the app is only used internally, the attacker is already past initial access

Detection/coverage: IAM, reverse proxy, and application logs can show logins preceding suspicious POSTs to /user/minus_cart.php.

STEP 03

Exploit the SQL injection

With a session, the attacker sends a crafted POST to /user/minus_cart.php and manipulates id to alter backend SQL execution. sqlmap can likely weaponize this quickly if the endpoint is stable and responses are distinguishable, though the CVE metadata marks exploitation as poc and automatable: no, which is consistent with some manual tuning. Expected impact is database read/modify capability within the app's data model, not automatic server takeover.

Conditions required:

The target is still on vulnerable code
Input reaches SQL unsafely in the deployed file
Backend responses are usable enough to extract or modify data

Where this breaks in practice:

Endpoint-specific SQLi often needs request shaping, cookies, and parameter tuning
DB account permissions may limit blast radius
App-level errors, WAF normalization, or custom hardening may break commodity tooling

Detection/coverage: WAF/IDS can sometimes catch classic SQLi payloads; application and DB logs may show anomalous query errors or time-based patterns.

STEP 04

Turn data access into business impact

The practical impact is tampering with cart or inventory-related data, extracting records, or abusing trusted app functions. That can hurt business logic and data integrity, but there is no evidence in the advisory chain that this vulnerability alone yields OS command execution or broad tenant escape. Attackers would usually need follow-on weaknesses to convert this into durable host compromise.

Conditions required:

The application DB contains valuable records
The compromised account and DB permissions allow meaningful reads or writes

Where this breaks in practice:

Blast radius is bounded by the app and DB privileges
No proof in the public record of pre-auth compromise or direct RCE
Recovery is easier than for appliance/root-level compromises

Detection/coverage: Look for unexplained inventory/cart changes, suspicious SQL errors, and unusual volume from authenticated web sessions.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No trustworthy evidence of active exploitation found; CISA ADP marks exploitation only as `poc`, not active abuse.
Proof-of-concept	Public PoC exists in a GitHub Gist by Masamune showing a crafted POST to `/user/minus_cart.php` with a session cookie.
EPSS	`0.00086` (very low; OpenCVE shows `<1%`) — consistent with low near-term mass exploitation pressure.
KEV status	Not KEV-listed. OpenCVE enrichment says `KEV: No`, and the CVE does not appear in the CISA KEV catalog.
CVSS vector	Vendor/CNA: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L` (6.3 MEDIUM). NVD enrichment differs slightly at `6.5` with `C:H/I:N/A:N`, but both keep this in MEDIUM territory.
Affected versions	Public records only identify `Point of Sales and Inventory Management System 1.0` as affected.
Fixed version	No authoritative patched version or vendor remediation release was published in the sources reviewed.
Exposure reality	This is a niche downloadable PHP source-code project from `code-projects.org`, not a standard enterprise package. That sharply reduces expected installed base and scanner priority.
Internet-scale telemetry	I found no meaningful GreyNoise/Censys/Shodan-style public exposure or exploitation telemetry tied to this CVE/product. That's an inference from absence of visible reporting, not proof of zero exposure.
Disclosure and credit	Disclosed 2025-01-03. Reporter credited as `masamune (VulDB User)`.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.4/10)

The decisive downgrade factor is the likely authenticated attacker position. Once a bug requires a valid app session inside a niche PHP project with no active exploitation evidence, it stops being an enterprise-wide patch emergency and becomes local app hygiene.

MEDIUM Likely authenticated-access prerequisite based on PoC cookie and `/user/` route placement

HIGH No KEV listing / no public active-exploitation evidence

HIGH Low prioritization pressure from EPSS and niche product exposure

Why this verdict

Downward adjustment: attacker position is probably post-login — the public PoC includes a PHPSESSID cookie and hits a /user/ endpoint, so this does not read like an internet-wide unauthenticated smash-and-grab.
Downward adjustment: narrow reachable population — this is a downloadable code-projects PHP application, not Exchange, SharePoint, PAN-OS, or some other enterprise-common target with huge external exposure.
Downward adjustment: weak threat pull — KEV: No, EPSS 0.00086, and no credible reporting of active campaigns mean there is little evidence adversaries care about this one at scale.
Kept above IGNORE: public PoC and real SQLi — if you do run this app, an authenticated user may be able to read or tamper with backend data using straightforward web exploitation tooling.

Why not higher?

There is no evidence this is pre-auth, wormable, broadly exposed, or chained to code execution. The practical path appears to require prior foothold in the application itself, which is exactly the kind of compounding friction that should push severity down for enterprise patch queues.

Why not lower?

This is still a legitimate SQL injection with a public PoC against a real shipping codebase. If the app is deployed and reachable by untrusted users, the issue can enable data access or tampering and should not be dismissed as paperwork-only noise.

05 · Compensating Control

What to do — in priority order.

Restrict access to the app — Put the application behind VPN, IP allowlists, or internal-only publishing where possible. For a LOW verdict there is no SLA (treat as backlog hygiene), but if you keep the app, reducing who can even reach login and /user/ routes is the cleanest risk cut.
Add WAF rules for SQLi patterns — Deploy targeted rules for POSTs to /user/minus_cart.php and block classic SQLi metacharacters, boolean/time-based payloads, and abnormal parameter lengths. Use this as a compensating control while you schedule remediation; for LOW, there is no SLA (treat as backlog hygiene).
Review application auth controls — Since the likely exploit path starts with a user session, tighten local account policy, kill default/shared credentials, and front the app with stronger authentication where possible. That matters more here than with a pre-auth appliance bug because the exploit chain appears to start after login.
Monitor the endpoint directly — Add log alerts for spikes, odd id values, SQL error traces, and repeated POSTs to /user/minus_cart.php. For a low-priority backlog item, cheap telemetry gives you disproportionate defensive value without a large engineering lift.

What doesn't work

EDR alone does not solve this; the abuse happens through normal web requests and database queries before host-level detections necessarily fire.
Perimeter blocking only at the internet edge does little if the app is internally published and the attacker already has VPN access or a phished employee session.
Generic vulnerability scanning may miss the real risk if it cannot authenticate into the app; this looks like a route that likely sits behind login.

06 · Verification

Crowdsourced verification payload.

Run this on the target web server that hosts the PHP application, not from an auditor workstation. Invoke it as bash verify-cve-2025-0199.sh /var/www/html/PISP (replace with the application root); it needs read access to the PHP source tree but not root if the files are world-readable.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify-cve-2025-0199.sh
# Check code-projects Point of Sales and Inventory Management System for the
# published minus_cart.php SQL injection pattern tied to CVE-2025-0199.
#
# Usage: bash verify-cve-2025-0199.sh /path/to/app_root
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

APP_ROOT="${1:-}"
if [[ -z "$APP_ROOT" ]]; then
  echo "UNKNOWN - missing application root path"
  exit 2
fi

TARGET="$APP_ROOT/user/minus_cart.php"
if [[ ! -f "$TARGET" ]]; then
  echo "UNKNOWN - file not found: $TARGET"
  exit 2
fi

# Heuristic 1: file exists in expected location.
# Heuristic 2: vulnerable sink patterns commonly used by this code-projects PHP app.
# Heuristic 3: lack of obvious prepared statements / parameterized APIs.

content="$(tr '\n' ' ' < "$TARGET")"

has_sink=0
if grep -Eqi '(mysql_query|mysqli_query|->query\s*\(|query\s*\()' "$TARGET"; then
  has_sink=1
fi

has_id_flow=0
if grep -Eqi '(\$_POST\s*\[\s*["'"'']id["'"'']\s*\]|\$_REQUEST\s*\[\s*["'"'']id["'"'']\s*\]|\$_GET\s*\[\s*["'"'']id["'"'']\s*\])' "$TARGET"; then
  has_id_flow=1
fi

has_prepared=0
if grep -Eqi '(prepare\s*\(|bind_param\s*\(|PDO\s*\(|execute\s*\()' "$TARGET"; then
  has_prepared=1
fi

# Stronger heuristic: direct interpolation of $id inside SQL strings.
if grep -Eqi '(select|update|delete|insert).*(\$id|\{\$id\}|id\s*=\s*["'"'']?\$id)' "$TARGET"; then
  echo "VULNERABLE - direct SQL use of id-like variable detected in $TARGET"
  exit 1
fi

if [[ $has_sink -eq 1 && $has_id_flow -eq 1 && $has_prepared -eq 0 ]]; then
  echo "VULNERABLE - SQL query function + attacker-controlled id + no obvious prepared statements"
  exit 1
fi

if [[ $has_prepared -eq 1 ]]; then
  echo "PATCHED - prepared/parameterized DB access indicators found; manual review still recommended"
  exit 0
fi

echo "UNKNOWN - file present but exploit pattern could not be confirmed heuristically"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: first confirm whether you actually run this exact code-projects app anywhere; if you do not, close it out as non-applicable. If you do run it, restrict exposure and add targeted monitoring as backlog work, then schedule source remediation or retirement inside the noisgate remediation SLA for LOW issues; there is no noisgate mitigation SLA here because this severity has no SLA (treat as backlog hygiene). This should sit well behind pre-auth edge-device RCEs, KEV items, and broadly deployed enterprise software flaws.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.