Impact
The vulnerability is an unsanitized ID parameter in the /single-list_sale.php?action=add endpoint that allows attackers to inject arbitrary SQL commands. This flaw permits a remote attacker to read, modify, or delete records in the database depending on the privileges of the injected query. The vulnerability is classified as a typical SQL injection (CWE‑89) caused by improper input handling (CWE‑74).
Affected Systems
The flaw exists in code‑projects Real State Services version 1.0. No other versions were listed, so any deployment of the 1.0 release is potentially vulnerable.
Risk and Exploitability
The CVSS score of 6.9 indicates a medium severity for a remote exploit. Because no EPSS data is not listed in CISA's KEV catalog, the likelihood of widespread deployment remains uncertain; however, public exploits are already available, so the attack window is open. The attacker needs only network access to the vulnerable endpoint and can manipulate the ID parameter without authentication, which increases exploitability.
OpenCVE Enrichment