Skip to main content

Online Complaint Site CVE-2025-11530

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-09 cna@vuldb.com
PHP SQLi Online Complaint Site
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:04 vuln.today

DescriptionCVE.org

A weakness has been identified in code-projects Online Complaint Site 1.0. Affected is an unknown function of the file /cms/admin/state.php. This manipulation of the argument state causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

AnalysisAI

SQL injection in Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the state parameter in /cms/admin/state.php, enabling data exfiltration or modification with limited scope. Publicly available exploit code exists; however, the CVSS 2.1 score and 0.03% EPSS percentile indicate low real-world exploitation risk despite the presence of proof-of-concept.

Technical ContextAI

Online Complaint Site 1.0 is a PHP-based complaint management system vulnerable to SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output Command) in the state.php administrative endpoint. The vulnerability stems from insufficient input validation or parameterized query failure on the state parameter, allowing attackers to inject arbitrary SQL commands. The affected component handles state-related database operations within the /cms/admin/ directory, suggesting administrative functionality for state management in the complaint workflow.

RemediationAI

No vendor-released patch identified at time of analysis. Immediate mitigation requires parameterized queries (prepared statements) or stored procedures for all database interactions in /cms/admin/state.php to neutralize SQL injection. Apply input validation using whitelist filtering on the state parameter to accept only known valid state identifiers (e.g., alphanumeric, numeric IDs). Restrict access to /cms/admin/ endpoints via network firewall or WAF rules limiting administrative functionality to trusted internal networks or specific IP ranges. Disable or remove the Online Complaint Site 1.0 application if not actively used, or upgrade to a patched version if available from the vendor at https://code-projects.org/. Monitor database logs for suspicious SQL queries referencing the state parameter.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-11530 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy