CVE-2025-22976

HIGH

dingfanzuCMS 1.0 - SQL Injection via checkOrder.php shopId Parameter

Title source: llm

Description

SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a local attacker to execute arbitrary code via not filtering the content correctly at the "checkOrder.php" shopId module.

References (1)

Core 1

Core References

Various Sources

https://github.com/xiaosguang/cve/blob/main/dingfanzu/dingfanzu-CMS%20checkOrder.php%20shopId%20SQL-inject.md

View Writeup ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0020

EPSS Percentile 10.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Published Jan 15, 2025

Tracked Since Feb 18, 2026