Online Complaint Site
CVE-2025-11552
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Online Complaint Site 1.0. This impacts an unknown function of the file /admin/category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /admin/category.php, with publicly available exploit code. CVSS score of 2.1 reflects limited confidentiality impact and requirement for low-privilege authentication; EPSS of 0.03% indicates very low real-world exploitation probability despite public POC availability.
Technical ContextAI
The vulnerability exists in a PHP web application at the /admin/category.php endpoint, where user-supplied input from the Category parameter is directly incorporated into SQL queries without proper sanitization or parameterized query preparation. This is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses injection attacks where untrusted input flows directly into SQL contexts. The affected product is code-projects Online Complaint Site version 1.0, a complaint management application accessible via the CPE identifier cpe:2.3:a:fabian:online_complaint_site:1.0.
RemediationAI
Contact the vendor (fabian / code-projects.org) to request a security patch for version 1.0. If an updated version is released, upgrade immediately. Until patching is available, implement the following compensating controls: (1) Restrict access to /admin/category.php to trusted administrator IP addresses via firewall or web server access control lists - this eliminates remote exploitation risk while retaining functionality for authorized administrators; (2) Apply input validation and output encoding at the application level by converting the Category parameter through a whitelist of allowed values before use in SQL queries, or better yet, convert all SQL queries in category.php to parameterized prepared statements with bound parameters; (3) Reduce authentication scope by auditing and limiting which user accounts have low-privilege admin access to the category management function. The primary mitigation is code-level remediation, as the SQL injection itself stems from inadequate input handling rather than configuration.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today