Key Information Vulnerability Overview CVE ID: CVE-2025-61455 Disclosure Date: October 13, 2025 Severity: CRITICAL (CVSS v3.1: 9.8) Affected Product Vendor: Independent (Bhavishtya-123) Project: E-commerce Version: v1.0 File: signup.inc.php Vulnerable Endpoint: Vulnerability Details The application directly uses unvalidated user input in SQL queries, specifically in the parameter within the file. Attackers can inject malicious SQL code via the parameter, enabling a time-based blind SQL injection attack. CWE Classification CWE ID: CWE-89 - SQL Injection CVSS Score Score: 9.8 Severity: CRITICAL Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Impact Successful exploitation may lead to: - Complete bypass of authentication - Unauthorized access to privileged functions - Data exposure - Data manipulation or deletion - Full compromise of the backend database - Potential for remote code execution Proof of Concept (PoC) 1. Clone the repository: 2. Host locally: Deploy the project using XAMPP/LAMP and navigate to 3. Inject payload: Send a malicious HTTP POST request containing a time-delay SQL injection payload. Recommended Mitigations Replace dynamic SQL queries with prepared statements Validate and sanitize all user inputs Deploy a Web Application Firewall (WAF) to block known SQL injection patterns Conduct regular code reviews and penetration testing Implement parameterized queries Use whitelisting for input validation where possible