QR Menu Pro, Session Fixation, CVE-2025-7014 (Medium)

Listen to this Post

CVE-2025-7014 is a Session Fixation vulnerability found in the Menu Panel of QR Menu Pro Smart Menu Systems. The vulnerability exists because the application fails to regenerate the session identifier (Session ID) after a user successfully authenticates. In a typical session fixation attack, an attacker can force a user’s browser to use a session ID known to the attacker. This is often done by sending the victim a crafted link that contains a specific session ID. If the victim uses this link to access the application and then logs in, the application, due to the flaw, accepts the pre-set session ID without issuing a new one. The attacker, who already knows this valid session ID, can then hijack the session and gain unauthorized access to the victim’s authenticated account and the sensitive data associated with it . The vendor was contacted about this disclosure but did not respond, leaving all versions up to 29012026 vulnerable .

dailycve form:

Platform: QR Menu Pro
Version: Through 29012026
Vulnerability : Session Fixation
Severity: Medium (5.7)
date: 01/29/2026

Prediction: No Patch Expected

What Undercode Say:

Analytics:

The vulnerability is present in all versions of the Menu Panel up to the date 29012026 (29th January 2026). It has a CVSS score of 5.7 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. This indicates the attack is over the network with low complexity, but requires low privileges and user interaction. The primary impact is high on confidentiality, meaning sensitive data exposed via session hijacking. The EPSS score is approximately 0.0001, indicating a very low probability of exploitation in the wild at the time of analysis .

Exploit:

An attacker can craft a malicious URL containing a fixed session ID, such as:
https://vulnerable-site.com/menu-panel/login.php?PHPSESSID=FIXEDSESSIONID123`
If the victim clicks this link and logs in, the server accepts `FIXEDSESSIONID123` as the valid session token. The attacker then uses the same session ID in their browser to access the authenticated area of the application.
curl -b “PHPSESSID=FIXEDSESSIONID123” https://vulnerable-site.com/menu-panel/admin-dashboard`

Protection from this CVE:

Since no official patch is available, implement the following mitigations :
1. Regenerate Session on Login: Force the application to invalidate any existing session and generate a new, random session ID immediately after a user provides valid credentials.

// Example PHP code to regenerate session ID
session_start();
// After user successfully logs in
session_regenerate_id(true);
$_SESSION['user_id'] = $user_id;

2. Set Secure Cookie Flags: Configure session cookies with HttpOnly, Secure, and `SameSite` attributes to prevent client-side script access and ensure transmission over HTTPS only.

; Example php.ini configuration
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = "Strict"

3. User Education: Train users to avoid clicking on untrusted links and to manually type the application URL into their browser.
4. Monitor Logs: Check web server access logs for multiple requests using the same session ID from different IP addresses, which could indicate session sharing or hijacking.

Example grep command to find a specific session ID in access logs
grep "PHPSESSID=FIXEDSESSIONID123" /var/log/apache2/access.log

Impact:

Successful exploitation allows an attacker to hijack an active user session. This can lead to unauthorized access to the victim’s account, exposure of sensitive customer or business information (such as order details or payment data), and potential privacy breaches, which could have legal consequences under regulations like GDPR .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top