CVE-2025-7178

Root

Cause

The vulnerability resides in /admin/process_login.php of code-projects Food Distributor Site 1.0. The application retrieves the username POST parameter with $_POST['username'] and, after only applying stripslashes() (which does not prevent SQL injection), directly interpolates the value into an SQL query executed by the ORM (likely Idiorm). The code shown in the advisory confirms no parameterized queries or input sanitization is performed on the username field [1].

Exploitation

Attackers can exploit this by sending a crafted HTTP POST request to /admin/login.php with a SQL injection payload in the username field. The login form submits to process_login.php, which does not require prior authentication—the vulnerability is available to any remote attacker. The exploit has been publicly disclosed, increasing the risk of automated scanning and exploitation attempts [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to inject arbitrary SQL commands into the database query, potentially retrieving all stored data (including password hashes and user records), bypassing the login mechanism, or modifying/deleting database content without authorization. Given the application's role in food distribution, this could expose sensitive business data and user credentials [1][2].

Mitigation

No official patch has been released by code-projects as of the publication date. The vendor's site (code-projects.org) lists similar projects, but no security update for this specific application is available [2]. Users should disable public access to the admin panel or implement web application firewall rules to block SQL injection patterns until a fix is applied. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog.