SourceCodester Sales Tracker Management System Master.php delete_client sql injection
Description
A vulnerability has been found in SourceCodester Sales Tracker Management System 1.0 and classified as critical. This vulnerability affects the function delete_client of the file classes/Master.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222646 is the identifier assigned to this vulnerability.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `delete_client` function in `classes/Master.php` directly composes the unsanitized `id` parameter into a SQL statement, enabling SQL injection."
Attack vector
An attacker sends a crafted HTTP request to the URL `http://<host>/php-sts/classes/Master.php?f=delete_client` with a malicious `id` parameter. The `delete_client` function composes the `id` value directly into a SQL statement without filtering, allowing SQL injection [ref_id=1]. The attack is remotely exploitable over the network with no authentication required.
Affected code
The vulnerable function is `delete_client` in the file `classes/Master.php`. The function receives the `id` parameter via an HTTP request and uses it directly in a SQL statement without any filtering or sanitization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] states that the root cause is the absence of filtering on the `id` parameter before it is used in SQL statements. The remediation would be to implement parameterized queries or prepared statements in the `delete_client` function, and to validate and sanitize the `id` input before database operations.
Preconditions
- networkThe attacker must be able to reach the web application over the network
- configThe vulnerable endpoint Master.php?f=delete_client must be accessible
- authNo authentication is required to trigger the vulnerability
- inputThe attacker supplies a malicious id parameter value
Reproduction
1. Deploy the Sales Tracker Management System from the source code at https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html [ref_id=1]. 2. Send a request to `http://<target>/php-sts/classes/Master.php?f=delete_client` with a malicious `id` parameter, for example using sqlmap: `sqlmap.py -r c:\tmp\sts-1.txt -p id --risk 2 --dbs` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Mart1nD0t/vul-test/blob/main/sts-3.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.