Skip to main content
CVE Vulnerability Database

CVE-2025-7755: Online Ordering System RCE Vulnerability

CVE-2025-7755 is a critical remote code execution vulnerability in Online Ordering System 1.0 caused by unrestricted file upload in edit_product.php. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7755 Overview

CVE-2025-7755 affects code-projects Online Ordering System 1.0. The vulnerability resides in the /admin/edit_product.php script, where the image parameter accepts file uploads without proper restriction. An authenticated attacker with low privileges can manipulate this argument to upload arbitrary files to the server. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed deployments. The weakness is classified under [CWE-284] Improper Access Control and is reachable over the network. While the CVSS 4.0 base score is 2.1 (Low), uploading executable content to a web-accessible directory can still enable follow-on impact depending on server configuration.

Critical Impact

Authenticated attackers can upload arbitrary files via the image parameter in /admin/edit_product.php, potentially leading to malicious content hosted on the web server.

Affected Products

  • code-projects Online Ordering System 1.0
  • Deployments exposing /admin/edit_product.php to untrusted networks
  • Installations without web server upload restrictions (.php, .phtml, .jsp)

Discovery Timeline

  • 2025-07-17 - CVE-2025-7755 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-7755

Vulnerability Analysis

The flaw is an unrestricted file upload condition in the administrative product editing workflow. The edit_product.php endpoint accepts a file via the image parameter and writes it to the server filesystem without validating the file type, extension, MIME type, or content. The application trusts client-supplied metadata and does not enforce a server-side allowlist. As a result, an attacker with access to the admin panel can submit a request that places attacker-controlled content under a web-served directory. The vulnerability is exploitable remotely over HTTP. Public disclosure on VulDB entry #316745 and a GitHub issue tracker provides reproduction details. The EPSS probability for this CVE is 0.293%.

Root Cause

The root cause is missing access control and missing input validation on the upload handler. The application accepts arbitrary file extensions and does not restrict the upload destination. Because authentication to the admin interface is the only barrier, weak admin credentials, default accounts, or stolen sessions amplify exposure.

Attack Vector

The attack vector is network-based and requires low privileges. An attacker authenticates to the admin panel and submits a multipart POST request to /admin/edit_product.php, attaching a malicious file in the image field. The server stores the file under a predictable path, allowing the attacker to request it directly through the web server. No user interaction is required beyond the attacker's authenticated session.

No verified public proof-of-concept code is included in the NVD record. Refer to the VulDB submission #615552 for disclosed reproduction details.

Detection Methods for CVE-2025-7755

Indicators of Compromise

  • New or unexpected files in product image directories with extensions such as .php, .phtml, .jsp, .asp, or .aspx.
  • HTTP POST requests to /admin/edit_product.php containing multipart uploads with non-image MIME types or executable content.
  • Outbound connections originating from the web server process to unfamiliar external hosts shortly after admin activity.
  • Web server access log entries showing direct GET requests to uploaded files in the product image path.

Detection Strategies

  • Inspect web server access logs for POST requests to /admin/edit_product.php and correlate with subsequent GET requests retrieving the uploaded artifact.
  • Apply file integrity monitoring to upload directories to flag files with server-side executable extensions.
  • Deploy web application firewall rules that block uploads where the declared content-type or file signature does not match a permitted image format.
  • Hunt for PHP processes spawning shells (sh, bash, cmd.exe) on the web server, indicating successful webshell execution.

Monitoring Recommendations

  • Centralize web server, application, and host logs into a SIEM and alert on writes to web-served directories by the PHP user.
  • Monitor admin authentication events for anomalies such as off-hours logins or logins from new geographies.
  • Track process lineage on the web server host to identify webshell-driven command execution.

How to Mitigate CVE-2025-7755

Immediate Actions Required

  • Restrict network access to /admin/edit_product.php and the entire admin panel using IP allowlists or a VPN.
  • Audit the product image upload directory and remove any files that are not legitimate image content.
  • Rotate administrator credentials and enforce strong, unique passwords for all admin accounts.
  • Configure the web server to refuse execution of scripts in upload directories (for example, disable PHP handlers in image folders).

Patch Information

No official vendor patch is referenced in the NVD record for CVE-2025-7755. Users of code-projects Online Ordering System 1.0 should monitor the code-projects website for updates and consider migrating to a maintained alternative. Where source code access is available, modify edit_product.php to validate extensions against an allowlist (jpg, jpeg, png, gif), verify MIME type via server-side inspection, and rename uploaded files to non-executable names.

Workarounds

  • Place the application behind a reverse proxy and block multipart uploads to administrative endpoints from untrusted networks.
  • Configure the web server to serve the upload directory with a static handler only, disabling script interpretation.
  • Enforce server-side file signature verification before persisting uploads to disk.
  • Apply WAF rules that drop uploads where the file content does not match the declared image format.
bash
# Apache configuration to disable script execution in the uploads directory
<Directory "/var/www/online_ordering/admin/uploads">
    php_admin_flag engine off
    AddType text/plain .php .phtml .php3 .php4 .php5 .phar
    Options -ExecCGI
    <FilesMatch "\.(php|phtml|phar|cgi|pl|jsp|asp)$">
        Require all denied
    </FilesMatch>
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.