Online Complaint Site
CVE-2025-11516
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Online Complaint Site 1.0. Impacted is an unknown function of the file /cms/users/complaint-details.php. Executing manipulation of the argument cid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the cid parameter in /cms/users/complaint-details.php, leading to limited data exposure. The vulnerability requires valid user authentication and has a publicly available proof-of-concept, but the EPSS score of 0.03% and CVSS impact metrics (VC:L/VI:L/VA:L) indicate low real-world exploitation probability despite public availability of exploit code.
Technical ContextAI
The vulnerability exists in PHP code handling user input within the complaint details functionality. The cid (complaint ID) parameter is insufficiently sanitized before being used in SQL queries, allowing attackers to inject arbitrary SQL commands. CWE-74 (Improper Neutralization of Special Elements in Output) represents the root cause - the application fails to properly escape or parameterize user-supplied input before inclusion in database queries. This is a classic unsafe string concatenation pattern common in legacy PHP applications lacking prepared statement usage.
RemediationAI
Immediate patch is not available from the vendor as of this analysis. Primary remediation is to upgrade to a patched version when released by code-projects or to transition to an alternative complaint management system. If upgrade is not feasible, implement compensating controls: (1) restrict access to /cms/users/complaint-details.php to trusted internal networks using Web Application Firewall or reverse proxy rules, blocking external access; side effect is reduced accessibility for remote users. (2) Apply input validation and parameterized SQL query updates at the application level if source code is available - replace string concatenation with prepared statements or ORM frameworks; requires development effort but eliminates the root cause. (3) Implement SQL injection detection via WAF rules that block suspicious SQL syntax in the cid parameter (e.g., single quotes, UNION, SELECT keywords); note that simple pattern-based detection may be bypassed. (4) Monitor database query logs for unusual activity from authenticated accounts, though this only detects, not prevents, exploitation. Contact the vendor at code-projects.org for patch timeline and security update availability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today