Online Complaint Site
CVE-2025-11515
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in code-projects Online Complaint Site 1.0. This issue affects some unknown processing of the file /cms/users/register-complaint.php. Performing manipulation of the argument cid results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
AnalysisAI
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the cid parameter in /cms/users/register-complaint.php, resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the EPSS score of 0.03% and requirement for prior authentication significantly constrain real-world exploitation risk compared to the CVSSv4 score of 2.1.
Technical ContextAI
The vulnerability exists in PHP-based web application code-projects Online Complaint Site version 1.0, specifically in the complaint registration endpoint /cms/users/register-complaint.php. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Different Component, also known as 'Injection'), manifesting as SQL injection (SQLi). The cid parameter is processed without proper input validation or parameterized query protection, allowing attackers to inject arbitrary SQL commands. CPE identifier cpe:2.3:a:fabian:online_complaint_site:1.0:*:*:*:*:*:*:* confirms the affected product and single vulnerable version.
RemediationAI
Upgrade to a patched version of Online Complaint Site if available from the vendor at https://code-projects.org/. If no patched version is released, implement immediate compensating controls: (1) Restrict network access to /cms/users/register-complaint.php via firewall or reverse proxy to trusted IP ranges only - this eliminates remote attack vector at the cost of potential legitimate user access restrictions; (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the cid parameter (detect single quotes, SQL keywords like UNION, SELECT, etc.) - effective but may generate false positives; (3) Enforce parameterized queries or prepared statements in the application code if source code review is feasible - this is the definitive fix but requires development effort; (4) Apply input validation to the cid parameter to accept only alphanumeric identifiers, rejecting special characters - document the expected format with the application vendor or code-projects development team. Monitor access logs for SQL injection attempts and revoke user accounts showing suspicious activity.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today