SourceCodester Simple POS and Inventory System GET Parameter deleteproduct.php delete sql injection
Description
A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can exploit SQL injection in Multiple GET parameters to delete records or extract sensitive data in POS Inventory System 1.0.
Vulnerability
The SourceCodester Simple POS and Inventory System 1.0 is vulnerable to SQL injection via the id GET parameter in multiple admin endpoints [1]. The files /admin/deleteproduct.php, /admin/deletecustomer.php, and /admin/deletesupplier.php retrieve the id value directly from $_GET['id'] and concatenate it into SQL queries without sanitization, type casting, or the use of prepared statements [1]. For example, deleteproduct.php executes: $pid = $_GET['id']; $a = mysqli_query($conn, "select * from product where productid='$pid'"); [1]. The vulnerability can be triggered by any authenticated user with access to these admin pages [1].
Exploitation
An attacker must be authenticated to the application [1]. The attack can be launched remotely by crafting a GET request to any of the vulnerable endpoints with a malicious payload in the id parameter [1]. The public proof-of-concept demonstrates a time-based blind SQL injection using a SLEEP(5) command: GET /admin/deleteproduct.php?id=1' AND SLEEP(5)-- - [1]. A 5-second delay confirms successful injection [1]. Error-based and UNION-based injection techniques are also possible [1].
Impact
Successful exploitation allows an attacker to delete arbitrary records from the product, customer, and supplier tables, compromising data integrity [1]. Via UNION-based injection, the attacker can extract sensitive data including usernames and MD5 password hashes, impacting confidentiality [1]. Mass deletion could cause complete business disruption, affecting availability [1]. The reference also notes potential for Remote Code Execution via INTO OUTFILE if the database user has root privileges [1].
Mitigation
The vendor has not released a patched version as of publication [1]. The vulnerability is currently unpatched [1]. No workarounds are provided in the available references [1]. The application is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Administrators should restrict access to admin pages, use a web application firewall (WAF) to filter malicious inputs, or replace the application with a supported alternative [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application concatenates the unsanitized `$_GET['id']` value directly into SQL queries, enabling SQL injection."
Attack vector
An authenticated attacker sends a crafted GET request to `/admin/deleteproduct.php` with a malicious `id` parameter containing SQL injection payloads. For example, appending `' AND SLEEP(5)-- -` to the `id` value causes the backend to execute `DELETE FROM product WHERE productid='1' AND SLEEP(5)-- -'`, inducing a 5-second delay that confirms the injection [ref_id=1]. The attack is remotely exploitable and requires only a valid session cookie.
Affected code
The vulnerability exists in `/admin/deleteproduct.php` (and also `/admin/deletecustomer.php` and `/admin/deletesupplier.php`). The code retrieves the `id` parameter directly from `$_GET['id']` and concatenates it into SQL queries without sanitization, type casting, or prepared statements [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends replacing all raw `mysqli_query()` calls with parameterized queries using `mysqli_prepare()`, casting the `id` parameter to an integer before use, restricting delete operations to administrator accounts, and migrating state-changing actions from GET to POST with CSRF tokens [ref_id=1].
Preconditions
- authAttacker must have a valid authenticated session (PHPSESSID cookie)
- networkTarget application must be reachable over the network
- configNo input sanitization or prepared statements are used on the vulnerable endpoint
Reproduction
1. Log in to the POS Inventory System and obtain a valid PHPSESSID cookie. 2. Send a GET request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/c4ttr4ck/5d05aaee5b43f259ebe8bb8bce5c658fmitreexploit
- vuldb.com/submit/813611mitrethird-party-advisory
- vuldb.com/vuln/365425mitrevdb-entrytechnical-description
- vuldb.com/vuln/365425/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.