Is there a public PoC exploit available for CVE-2025-11342?

Yes, a public proof-of-concept exploit is available for CVE-2025-11342. Prioritise patching immediately. EPSS: 0.0%.

Online Course Registration CVE-2025-11342

Q: What is the CVSS score of CVE-2025-11342?

CVE-2025-11342 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-06 cna@vuldb.com

PHP SQLi Online Course Registration Site

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:01 vuln.today

DescriptionCVE.org

A weakness has been identified in code-projects Online Course Registration 1.0. This impacts an unknown function of the file /admin/edit-course.php. Executing manipulation of the argument coursecode can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.

AnalysisAI

SQL injection in code-projects Online Course Registration 1.0 allows high-privileged remote attackers to manipulate the coursecode parameter in /admin/edit-course.php, potentially extracting or modifying database contents. CVSS 4.0 reflects limited scope (only confidentiality/integrity impact to database layer with no system scope expansion), but the vulnerability requires administrative authentication (PR:H), significantly constraining real-world risk despite public exploit availability and 0.03% EPSS indicating minimal spontaneous exploitation likelihood.

Technical ContextAI

The vulnerability stems from improper input validation of the coursecode parameter (CWE-74: Improper Neutralization of Special Elements in Output) in a PHP-based course management application. The /admin/edit-course.php endpoint fails to sanitize SQL metacharacters in the coursecode argument before incorporating it into database queries, enabling attackers to break out of the intended SQL statement structure and inject arbitrary SQL commands. The attack surface is limited to authenticated administrative users accessing the course editing interface, as indicated by the PR:H (High Privilege Required) constraint in the CVSS vector.

RemediationAI

Apply input validation and parameterized queries to the coursecode parameter in /admin/edit-course.php. If a vendor patch is not available, implement immediate compensating controls: (1) Replace all SQL string concatenation with parameterized prepared statements (bind variables) using PHP Data Objects (PDO) or mysqli prepared statements-this eliminates SQL injection by separating query structure from user input, with minimal performance overhead. (2) Validate coursecode against a whitelist of allowed characters (e.g., alphanumeric and underscore only) before query execution, rejecting any input containing SQL metacharacters (single quotes, semicolons, double hyphens, parentheses). (3) Apply the principle of least privilege to the database user executing admin queries-create a dedicated read/write role for /admin/edit-course.php that lacks ALTER TABLE or CREATE USER permissions, preventing attackers from modifying schema or escalating privileges even if SQL injection succeeds. (4) Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the coursecode parameter (e.g., OWASP ModSecurity rules for SQL injection), though this is secondary to code-level fixes. Monitor admin account activity for unusual database query patterns. No vendor advisory with a specific patch version is documented; check code-projects.org and vuldb.com for updates.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-11342 vulnerability details – vuln.today

Back

Online Course Registration CVE-2025-11342

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code