CVE-2025-13560: Critical SQL Injection Vulnerability Threatens SourceCodester CMS Websites

Overview

CVE-2025-13560 is a critical SQL injection vulnerability affecting SourceCodester Company Website CMS version 1.0. This vulnerability resides within the /admin/reset-password.php file and allows remote attackers to execute arbitrary SQL commands through manipulation of the email argument. This can lead to unauthorized data access, modification, or even complete system compromise. The exploit is publicly available, increasing the urgency for remediation.

Technical Details

The vulnerability stems from insufficient sanitization of user-supplied input within the /admin/reset-password.php file. Specifically, the email parameter, intended for password reset functionality, is not properly validated or escaped before being incorporated into a SQL query. An attacker can inject malicious SQL code into this parameter, allowing them to bypass authentication and potentially gain administrative privileges. A specially crafted email address, containing SQL syntax, can be submitted to trigger the vulnerability.

The vulnerable code snippet (example):

        $email = $_POST['email'];
        $query = "SELECT * FROM users WHERE email = '$email'";
        // Vulnerable code - No sanitization of $email
        

CVSS Analysis

• CVSS Score: 7.3 (HIGH)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
• Explanation: This score reflects the high impact of the vulnerability. It is remotely exploitable (AV:N) with low attack complexity (AC:L) and requires no privileges (PR:N) or user interaction (UI:N). While the impact on confidentiality (C:L), integrity (I:L), and availability (A:L) are rated as low, the potential for escalating privileges and gaining complete control of the system elevates the overall risk.

Possible Impact

Successful exploitation of CVE-2025-13560 can have severe consequences, including:

• Data Breach: Attackers can access sensitive user data, including usernames, passwords, email addresses, and other personal information.
• Account Takeover: Attackers can reset passwords for any user account, including administrative accounts, gaining complete control of the website.
• Website Defacement: Attackers can modify website content, injecting malicious code or defacing the site.
• Malware Distribution: The compromised website can be used to distribute malware to visitors.
• Denial of Service (DoS): Attackers can manipulate the database to cause errors or crashes, rendering the website unavailable.

Mitigation and Patch Steps

To mitigate the risk posed by CVE-2025-13560, the following steps are recommended:

1. Apply the Patch: Immediately apply the official patch released by SourceCodester, if available. Check the SourceCodester website for updates and security advisories.
2. Input Sanitization: Implement robust input sanitization and validation for all user-supplied data, especially the email parameter in /admin/reset-password.php. Use prepared statements or parameterized queries to prevent SQL injection.
3. Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block malicious requests targeting the vulnerable endpoint. Configure the WAF to filter SQL injection attempts.
4. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the CMS and its underlying infrastructure.
5. Principle of Least Privilege: Ensure that database users have only the necessary permissions to perform their tasks, minimizing the impact of a successful SQL injection attack.
6. Disable the vulnerable endpoint Temporarily disable the reset-password endpoint until the fix is implemented and tested in a non-production environment.

References

• GitHub Issue: CVE-2025-13560 Exploit
• VulDB: CVE-2025-13560 Details (CTI)
• VulDB: CVE-2025-13560 Details (ID)
• SourceCodester Website