CVE-2025-10793 is a SQL Injection vulnerability identified in version 1.0 of the code-projects E-Commerce Website, specifically within the /pages/admin_account_delete.php file. The vulnerability arises due to improper sanitization or validation of the user_id parameter, which is used in SQL queries to manage administrative account deletions. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended database queries. This can lead to unauthorized data access, modification, or deletion. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is rated as low to medium, suggesting partial compromise of data or limited disruption. Although no known exploits are currently reported in the wild, the exploit code is publicly available, increasing the risk of exploitation. The lack of a patch link indicates that a fix may not yet be released, emphasizing the need for immediate mitigation steps. This vulnerability is critical for organizations using this specific e-commerce platform version, as it targets administrative functionalities that could lead to significant unauthorized control over user accounts and sensitive data.

For European organizations using the code-projects E-Commerce Website version 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and administrative data. Exploitation could allow attackers to delete or manipulate admin accounts, potentially leading to privilege escalation or complete takeover of the e-commerce platform. This could result in data breaches involving personal customer information, financial data, and transaction records, undermining GDPR compliance and leading to regulatory penalties. Additionally, unauthorized deletions or modifications could disrupt business operations, causing financial losses and reputational damage. Given the remote exploitability without authentication, attackers can target vulnerable systems at scale, increasing the threat surface. The medium severity rating suggests that while the impact is significant, it may not lead to full system compromise without additional vulnerabilities or misconfigurations. However, the public availability of exploit code elevates the urgency for European organizations to assess their exposure and implement mitigations promptly.

1. Immediate mitigation should include restricting access to the /pages/admin_account_delete.php endpoint via network controls such as IP whitelisting or VPN-only access to limit exposure. 2. Implement web application firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting the user_id parameter. 3. Conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize the user_id input, eliminating the injection vector. 4. Monitor logs for unusual activities related to admin account deletions or suspicious SQL errors that may indicate exploitation attempts. 5. If possible, upgrade to a patched or newer version of the code-projects E-Commerce Website once available. 6. As an interim step, disable or restrict the admin account deletion functionality if it is not critical to operations. 7. Educate the development and security teams about secure coding practices to prevent similar vulnerabilities in future releases. 8. Regularly scan the environment with automated vulnerability scanners to detect any residual or related injection flaws.