MEDIUM 6.3

CVE-2026-10874: SQL Injection in projectworlds Online Art Gallery Shop Admin Panel

A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 affecting the admin dashboard. An authenticated attacker can manipulate the 'social_insta' parameter in the /admin/adminHome.php file to inject malicious SQL commands. This allows unauthorized access to sensitive database information, modification of data, or potential system disruption. The vulnerability requires valid login credentials but has no other technical barriers to exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in projectworlds Online Art Gallery Shop Project 1.0. The affected element is an unknown function of the file /admin/adminHome.php. The manipulation of the argument social_insta leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10874 is a SQL injection flaw in the admin panel of projectworlds Online Art Gallery Shop Project 1.0. The vulnerability resides in an unidentified function within /admin/adminHome.php where the 'social_insta' parameter is not properly sanitized before being passed to database queries. Attackers with administrative access credentials can bypass input validation and execute arbitrary SQL commands, potentially extracting, modifying, or deleting database records. The issue is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Business impact

Compromise of the admin dashboard creates serious operational risk. Attackers can exfiltrate customer data, product information, and transactional records stored in the database. Data modification attacks could corrupt product listings, pricing, or customer orders. For e-commerce deployments of this gallery shop, unauthorized database access may lead to financial fraud, regulatory compliance violations (GDPR, PCI-DSS), and reputational damage. The requirement for authenticated access limits the blast radius to insider threats or compromised admin accounts, but does not eliminate material risk.

Affected systems

projectworlds Online Art Gallery Shop Project version 1.0 is affected. Organizations running this application on web servers accessible to staff or internal networks face direct risk. The vulnerability is specific to the admin interface and does not affect end-user gallery views or public-facing components. Any deployment of version 1.0 should be considered vulnerable unless patching information becomes available from the vendor.

Exploitability

The vulnerability has a CVSS 3.1 score of 6.3 (MEDIUM severity) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. Exploitation requires network access and valid authentication credentials (PR:L), meaning an attacker must possess or have obtained admin login details. Once authenticated, the attack is trivial: no special tools or user interaction are needed to inject the SQL payload. Proof-of-concept exploits are publicly available, lowering the technical bar for opportunistic attackers. Insider threats or accounts compromised through phishing or credential stuffing represent the primary attack vector.

Remediation

Immediate action: Restrict administrative access to trusted networks only using firewall rules or VPN gateways. Review admin account activity logs for suspicious database queries or unusual parameter values in the social_insta field. Verify that no unauthorized data exfiltration has occurred. Primary remediation depends on vendor patches; check projectworlds for security updates or contact the vendor directly. If no patches are available, consider migrating to an alternative e-commerce gallery solution or implementing Web Application Firewall (WAF) rules to block malformed SQL payloads in the social_insta parameter.

Patch guidance

Verify with projectworlds directly for available security patches addressing this SQL injection. Check their official website, GitHub repository (if public), or support channels for CVE-2026-10874 patch releases. Apply patches to the /admin/adminHome.php module and test thoroughly in a staging environment before production deployment. If the vendor has not released a patch, implement parameterized queries and input validation in the social_insta parameter handling as a compensating control. Consider upgrading to a newer version of the project if available and compatible with your deployment.

Detection guidance

Monitor web server and database logs for SQL injection patterns in requests to /admin/adminHome.php, particularly payloads containing SQL keywords (UNION, SELECT, DROP, INSERT) within the social_insta parameter. Database query logs should be analyzed for unexpected administrative commands executed by the admin user accounts. Network-based detection can flag HTTP POST/GET requests with encoded or obfuscated SQL syntax. Endpoint detection and response (EDR) tools may identify suspicious database client activity originating from the application process. Review authentication logs for unauthorized admin logins or failed attempts followed by successful exploitation.

Why prioritize this

While the CVSS score is MEDIUM (6.3), prioritize this vulnerability based on the attack vector being both remote and readily exploitable with publicly available code. The requirement for authenticated access somewhat mitigates risk, but admin credentials are often the target of lateral movement attacks and insider threats. For organizations running this legacy project, timely patching reduces exposure to data exfiltration and compliance violations. The absence of this vulnerability from the CISA Known Exploited Vulnerabilities (KEV) catalog does not indicate low active threat; public exploits exist and active scanning for vulnerable instances is likely.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects moderate impact potential (confidentiality, integrity, and availability all affected at low level) balanced against the authentication requirement. The attack complexity is low (AC:L) and no user interaction is required (UI:N), making weaponization straightforward. The scope is unchanged (S:U), meaning the attack does not cross privilege boundaries within the target application. This score appropriately reflects the real-world risk: accessible to attackers with valid credentials or those who compromise admin accounts, but not a zero-click, zero-authentication remote code execution scenario. Organizations should treat this as higher priority than the base score alone suggests if their admin environment is exposed to untrusted networks.

Frequently asked questions

Does this vulnerability affect end-users visiting the online gallery?

No. The vulnerability is isolated to the admin panel at /admin/adminHome.php and requires authentication. End-users browsing the gallery are not directly affected. However, if attackers modify database records, they could indirectly impact user experience through corrupted product data or pricing information.

What if we don't have direct contact with projectworlds for patches?

If the vendor is unresponsive or no patch is available, implement input validation and parameterized queries in the social_insta parameter handling. Use a Web Application Firewall to detect and block SQL injection payloads. Restrict admin panel access to trusted IP addresses only. Consider isolating the application or migrating to a maintained alternative.

How do we know if we've been exploited?

Check admin account login history for unauthorized access or logins from unfamiliar IP addresses. Query database audit logs for unexpected SQL commands, data exports, or modifications to customer records. Review web server access logs for the pattern of requests to /admin/adminHome.php with unusual social_insta parameter values containing SQL syntax.

Why is this not on the CISA Known Exploited Vulnerabilities list yet?

CISA's KEV catalog focuses on vulnerabilities with evidence of active exploitation in the wild or significant threat actor adoption. Absence from the KEV list does not mean this vulnerability is low-risk; public exploits exist and automated scanners may already be probing for vulnerable instances.

This vulnerability intelligence is provided for informational purposes. SEC.co makes no warranty regarding the accuracy, completeness, or suitability of this analysis. Organizations should verify all patch information, vendor advisories, and affected product versions directly with projectworlds and conduct their own risk assessment. The absence of a vulnerability from CISA's KEV catalog does not indicate low threat. No exploit code or step-by-step weaponization guidance is provided herein. All remediation advice should be tested in non-production environments first. For proprietary or sensitive deployments, consult a qualified cybersecurity professional before implementing changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).