← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-0207 · CWE-74 · Disclosed 2025-01-04

A vulnerability

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded mousetrap sitting in a forgotten lab, not a landmine buried across your whole estate

CVE-2025-0207 is an unauthenticated SQL injection in code-projects Online Shoe Store 1.0, specifically the password parameter in /function/login.php. The vulnerable code concatenates user-controlled email and password directly into a SQL query against the customer table, enabling login bypass, database dumping, and—if the database account is over-privileged or stacked queries/filesystem features are available—possible follow-on code execution. Public writeups and a PoC gist point only to version 1.0; no maintained fixed version or distro backport was identified.

The vendor-side HIGH label is technically understandable for an unauthenticated remote SQLi, but it overstates enterprise patch urgency in practice. The decisive downgrade is reach and prevalence: this is a downloadable PHP sample/shop project from code-projects, not a mainstream enterprise platform, with no evidence of KEV listing, no credible campaign reporting, and a very low EPSS. If you actually have it internet-facing, it is a bad day for *that host*; across a 10,000-host enterprise fleet, it is usually shadow IT or trainingware, not top-of-queue mass risk.

"Real bug, public PoC, but it lives in a niche sample app with tiny likely enterprise exposure."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed instance

The attacker first needs HTTP reachability to a live deployment of the PHP application and a route to /function/login.php. Typical tooling is plain curl, httpx, or search/enum against externally exposed Apache/Nginx+PHP hosts. The product is a downloadable source-code project, so exploitation starts only if someone actually deployed it beyond localhost or a lab VM.
Conditions required:
  • Target organization is running code-projects Online Shoe Store 1.0 or materially identical code
  • The web app is reachable from the attacker's network position
  • The /function/login.php endpoint is exposed
Where this breaks in practice:
  • This appears to be a niche sample app rather than a common enterprise platform
  • Many code-projects installs are local dev, student, or demo deployments, not internet-facing production systems
  • No reliable internet-scale fingerprint was identified, so broad attacker targeting is inefficient
Detection/coverage: Authenticated SAST or file-content inspection will catch this more reliably than generic infrastructure scanners. External scanners may detect only if the app is deployed and the endpoint is reachable.
STEP 02

Confirm SQL injection in the login flow

With the endpoint exposed, the attacker sends crafted email/password POST data to force the backend query to return unintended rows. The public PoC references sqlmap, which can automate detection and exploitation against the login form. Because the query is built by direct string interpolation, authentication is not a prerequisite.
Conditions required:
  • The vulnerable query path is still present in /function/login.php
  • Backend uses the same unsanitized SQL construction shown in the PoC
  • Input is not normalized or blocked by a compensating WAF rule
Where this breaks in practice:
  • A WAF or reverse proxy may block obvious payloads and sqlmap defaults
  • Custom login flow changes may break stock PoC assumptions
  • Some deployments may have error suppression that slows manual confirmation
Detection/coverage: DAST can often find this if it is allowed to exercise the login form. WAF, web logs, and DB error logs may show quote-heavy payloads, tautologies, UNION probes, or sqlmap signatures.
STEP 03

Turn injection into access or data theft

Once injection is confirmed, the attacker typically uses sqlmap to enumerate schemas, dump user records, and bypass login by altering query logic. The most likely real-world impact is credential theft, order/customer data exposure, and admin/session abuse. The jump from SQLi to full OS compromise is conditional, not guaranteed.
Conditions required:
  • Database account tied to the app can read useful tables
  • Application stores real customer/admin data of value
  • Login bypass or data extraction is not broken by app-side logic
Where this breaks in practice:
  • Least-privileged DB accounts sharply reduce blast radius
  • If this is a demo dataset, business impact is much lower
  • Password storage may already be weak, but that does not increase host compromise by itself
Detection/coverage: Database activity monitoring, slow-query logs, and web telemetry can catch schema enumeration and unusually large result sets. Many vuln scanners stop at proof and will not validate data-dump depth.
STEP 04

Escalate only if the environment is sloppy

Attackers may try sqlmap features such as file read/write or command execution through DB-specific primitives, but that requires permissive DB configuration and supporting platform features. In many PHP/MySQL deployments, the compromise ends at app/database data loss rather than clean remote code execution. That matters when scoring severity for enterprise-wide prioritization.
Conditions required:
  • Database/user privileges allow filesystem or command-adjacent operations
  • Webroot/write paths are reachable from the DB context
  • No segmentation or containment limits follow-on abuse
Where this breaks in practice:
  • RCE is not inherent to the bug; it depends on environmental misconfiguration
  • Modern managed DB services and least privilege often block dangerous post-exploitation primitives
  • EDR and FIM are more likely to catch webshell placement than pure SQL reads
Detection/coverage: Look for anomalous DB functions, unexpected file writes in the webroot, and spawned child processes from the web stack. Basic web vuln scans usually do not validate this stage.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo CISA KEV listing was found, and I found no authoritative reporting of active exploitation campaigns tied to this CVE. The NVD notes a public exploit disclosure, which is weaker than exploitation evidence.
Public PoCYes. A public gist by th4s1s shows the vulnerable query pattern in /function/login.php and demonstrates sqlmap-based exploitation for DB enumeration and shell attempts.
EPSS0.00091 from your intel block, which is extremely low and consistent with a niche target and limited observed attacker interest.
KEV statusNot listed in the CISA KEV catalog as of today.
CVSS reality checkVendor/CNA score is 7.3 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), which matches a straightforward remote SQLi with limited assumed impact. NVD later overrode it to 9.8 CRITICAL by assuming C:H/I:H/A:H; that looks inflated for typical observed outcomes here.
Affected versionsPublic sources identify code-projects Online Shoe Store 1.0. I found no authoritative evidence of additional affected branches.
Fixed version / backportsNone identified. I found no vendor advisory naming a patched release, and no distro backport references. Treat this as no-maintainer / no-official-fix-found until proven otherwise.
Exposure populationNo reliable Shodan/Censys/FOFA-style fingerprint surfaced in primary sources. Inference: likely low enterprise prevalence because this is a downloadable PHP source-code project from code-projects, commonly used for demos, coursework, or small one-off sites rather than standardized fleet software.
Disclosure timingPublished by NVD on 2025-01-04; NVD added its own enrichment and 9.8 assessment on 2025-01-10.
Reporter / source chainSource CNA is VulDB; the public exploit reference in NVD points to a gist by th4s1s. CWE mapping is noisy: VulDB included CWE-74, while NVD also mapped the issue to the more specific CWE-89.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.4/10)

The single biggest downward pressure is population reach: this is a niche downloadable PHP sample application, not a broadly deployed enterprise product. The bug is real and unauthenticated, but the number of organizations that both run this exact code and expose it in production is likely tiny compared with normal internet-priority patch work.

HIGH Technical validity of the SQL injection in `/function/login.php`
MEDIUM Assessment that enterprise-wide exposure prevalence is low
HIGH No current KEV / no confirmed campaign evidence in authoritative sources reviewed

Why this verdict

  • Downgrade for prevalence: this is code-projects Online Shoe Store 1.0, a downloadable PHP project, not a common managed enterprise product; that sharply narrows the exposed population.
  • Downgrade for attacker economics: exploitation requires first finding an organization that actually deployed this exact sample app in a reachable environment; that is materially different from a flaw in Exchange, PAN-OS, or Confluence.
  • Hold at MEDIUM, not LOW: once exposed, the path is easy—unauthenticated remote SQLi with public PoC and likely login bypass/data theft using sqlmap.
  • Downgrade for evidence: EPSS is extremely low and there is no KEV listing or solid campaign reporting, so the market is not telling us this is a priority-1 internet fire.
  • Downgrade for blast-radius uncertainty: the jump from SQLi to full host compromise is environment-dependent; in many real deployments the impact stays at app/database compromise, not automatic RCE.

Why not higher?

If this were a broadly deployed commercial e-commerce platform, unauthenticated remote SQLi with public exploit would land comfortably in HIGH and might flirt with CRITICAL for internet-facing estates. It does not get that treatment here because the attack chain begins with a major population filter: very few enterprises should be running this exact code in production at scale.

Why not lower?

This is still an unauthenticated remote injection with a public PoC against a login endpoint. If you do have an exposed instance, an attacker does not need phishing, credentials, or prior foothold, and the likely outcome is direct data access or auth bypass.

05 · Compensating Control

What to do — in priority order.

  1. Pull it off the internet — If any instance is externally reachable, move it behind VPN, IP allowlists, or an internal reverse proxy. For a MEDIUM noisgate verdict there is no mitigation SLA, but exposed instances should be treated as an exception because this is a trivial unauthenticated SQLi.
  2. Block /function/login.php at the edge if the app is not needed — Add a reverse-proxy or WAF rule to deny direct access to the vulnerable endpoint, or disable the login feature entirely while you validate business need. There is no noisgate mitigation SLA for MEDIUM; use the control as immediate containment where the app cannot be removed quickly.
  3. Constrain the database account — Reduce the application's DB user to the minimum required privileges and explicitly deny file-write, admin, and dangerous function access. This does not fix the SQLi, but it cuts the step from data theft to filesystem writes or shell attempts.
  4. Hunt for shadow IT copies — Search webroots, Git repos, VM templates, and student/lab environments for Online Shoe Store, smss_db.sql, or the vulnerable login.php pattern. Because no vendor-fixed version was identified, discovery is the hard part and should be completed before the 365-day remediation window closes.
  5. Replace or locally patch the code — Since no official fixed release was identified, the durable answer is to rewrite the vulnerable query with prepared statements or retire the application. For a MEDIUM verdict, there is no mitigation SLA—go straight to the remediation window and eliminate the vulnerable code before it expires.
What doesn't work
  • MFA on user accounts does not stop SQL injection against the backend login query.
  • Rotating customer or admin passwords alone does not remove the injection path; the attacker can still alter SQL logic or dump fresh data.
  • Endpoint AV/EDR is weak protection against the most likely impact here, which is database reads and auth bypass without dropping malware.
06 · Verification

Crowdsourced verification payload.

Run this on the target web host or inside the container/VM where the PHP app is deployed. Invoke it as bash verify-cve-2025-0207.sh /var/www/html and provide the application webroot; no root is required for read access, but the account must be able to read function/login.php.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-cve-2025-0207.sh
# Detects likely vulnerable code-projects Online Shoe Store login.php pattern.
# Usage: bash verify-cve-2025-0207.sh /path/to/webroot
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

WEBROOT="${1:-}"
if [[ -z "$WEBROOT" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/webroot"
  exit 2
fi

TARGET="$WEBROOT/function/login.php"
if [[ ! -f "$TARGET" ]]; then
  echo "UNKNOWN - file not found: $TARGET"
  exit 2
fi

# Normalize whitespace for simpler matching.
CONTENT="$(tr '\n\r\t' '   ' < "$TARGET")"

# Strong vulnerable indicators from the public PoC / NVD description.
HAS_EMAIL_POST=0
HAS_PASSWORD_POST=0
HAS_CUSTOMER_QUERY=0
HAS_DIRECT_INTERP=0
HAS_PREPARE=0

if grep -Eq '\$_POST\[["'"'']email["'"'']\]' "$TARGET"; then HAS_EMAIL_POST=1; fi
if grep -Eq '\$_POST\[["'"'']password["'"'']\]' "$TARGET"; then HAS_PASSWORD_POST=1; fi
if grep -Eqi 'SELECT[[:space:]]+\*[[:space:]]+FROM[[:space:]]+customer' "$TARGET"; then HAS_CUSTOMER_QUERY=1; fi
if grep -Eqi "email=.?['\"]?\$email['\"]?.*password=.?['\"]?\$password['\"]?" "$TARGET"; then HAS_DIRECT_INTERP=1; fi
if grep -Eqi '(prepare\s*\(|bind_param\s*\(|mysqli_prepare\s*\(|PDO\s*::\s*prepare\s*\()' "$TARGET"; then HAS_PREPARE=1; fi

if [[ $HAS_EMAIL_POST -eq 1 && $HAS_PASSWORD_POST -eq 1 && $HAS_CUSTOMER_QUERY -eq 1 && $HAS_DIRECT_INTERP -eq 1 && $HAS_PREPARE -eq 0 ]]; then
  echo "VULNERABLE - login.php appears to concatenate email/password into SQL directly"
  exit 1
fi

if [[ $HAS_PREPARE -eq 1 ]]; then
  echo "PATCHED - prepared statement usage detected; review manually to confirm"
  exit 0
fi

echo "UNKNOWN - file exists but pattern is inconclusive; manual code review required"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not launch a fleet-wide fire drill for this CVE. First, determine whether you actually run this code anywhere—especially on internet-facing PHP hosts, student/lab segments, or unmanaged web VMs—and if you find it, remove public exposure and retire or locally patch the code because no official fixed release was identified. For a MEDIUM noisgate verdict, the noisgate mitigation SLA is no mitigation SLA — go straight to the 365-day remediation window, and the noisgate remediation SLA is ≤ 365 days; in practice, any externally exposed instance deserves same-day containment even though the fleet-level priority is not HIGH.

Sources

  1. NVD CVE-2025-0207
  2. Public PoC gist by th4s1s
  3. code-projects - Online Shoe Store Using PHP With Source Code
  4. code-projects - Online Shoes Store IN PHP, CSS, Js, AND MYSQL
  5. CISA Known Exploited Vulnerabilities Catalog
  6. FIRST EPSS overview
  7. FIRST EPSS API documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.