CVE-2020-25905

CRITICAL

Mobile Shop System 1.0 - SQL Injection via Email Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-25905. PoCs published by Moaaz Taha.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in Mobile Shop System v1.0, allowing authentication bypass by injecting a payload into the email field. The provided HTTP POST requests show the exact method to bypass login as both a regular user and an admin.

Description

An SQL Injection vulnerabilty exists in Sourcecodester Mobile Shop System in PHP MySQL 1.0 via the email parameter in (1) login.php or (2) LoginAsAdmin.php.

Exploits (1)

exploitdb WORKING POC

by Moaaz Taha · textwebappsphp

https://www.exploit-db.com/exploits/48916

View Code ZIP pw:eip

This exploit demonstrates an SQL injection vulnerability in Mobile Shop System v1.0, allowing authentication bypass by injecting a payload into the email field. The provided HTTP POST requests show the exact method to bypass login as both a regular user and an admin.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Mobile Shop System v1.0

No auth needed

Prerequisites: Access to the login page of the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry

https://packetstormsecurity.com/files/159132/Mobile-Shop-System-1.0-SQL-Injection.html

Exploit, Third Party Advisory

https://www.exploit-db.com/exploits/48916

Scores

CVSS v3 9.8

EPSS 0.0167

EPSS Percentile 73.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

mobile_shop_system_project/mobile_shop_system 1.0

Published Jan 28, 2022

Tracked Since Feb 18, 2026