CVE-2025-6484 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Online Shopping Store application, specifically within the /action.php file. The vulnerability arises due to improper sanitization of user-supplied input parameters including cat_id, brand_id, keyword, proId, and pid. An attacker can remotely manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the underlying database. This could lead to unauthorized data disclosure, data modification, or even deletion, depending on the database privileges of the application. The vulnerability does not require user interaction but does require the attacker to have some level of access to send crafted requests (no authentication required as per CVSS vector). The CVSS 4.0 score is 5.1 (medium severity), reflecting that while the attack vector is network-based and requires low attack complexity, the impact on confidentiality, integrity, and availability is limited to low. No known exploits are currently observed in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is an online shopping platform, potentially exposing e-commerce data such as product catalogs, user queries, and transaction-related information. The lack of patches or vendor advisories at this time increases the urgency for organizations to implement mitigations.

For European organizations using the code-projects Online Shopping Store version 1.0, this vulnerability could lead to unauthorized access to sensitive e-commerce data, including product information, user search queries, and potentially customer data if the database schema is interconnected. This could result in data breaches, loss of customer trust, and regulatory non-compliance, especially under GDPR requirements concerning personal data protection. The integrity of the database could be compromised, allowing attackers to alter product listings or pricing, potentially causing financial loss or reputational damage. Availability impact is likely low but could occur if attackers execute destructive SQL commands. Given the medium CVSS score, the overall risk is moderate but should not be underestimated due to the public disclosure of the exploit. Organizations in sectors relying heavily on e-commerce platforms, such as retail and wholesale, could face operational disruptions and legal consequences if exploited.

1. Immediate mitigation should include implementing Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the vulnerable parameters (cat_id, brand_id, keyword, proId, pid). 2. Conduct a thorough code review and input validation on all user-supplied parameters in /action.php, employing parameterized queries or prepared statements to prevent SQL injection. 3. If possible, upgrade or patch the application once vendor fixes become available; in the absence of official patches, consider isolating the affected application or restricting access to trusted IPs temporarily. 4. Monitor application logs for unusual query patterns or repeated failed attempts to exploit these parameters. 5. Perform regular database backups and ensure they are securely stored to enable recovery in case of data tampering. 6. Educate development teams on secure coding practices to prevent similar vulnerabilities in future releases. 7. For organizations unable to patch immediately, consider deploying runtime application self-protection (RASP) solutions to detect and block injection attacks in real-time.