Automated Voting System
CVE-2025-11668
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects Automated Voting System 1.0. Affected by this issue is some unknown functionality of the file /admin/update_user.php. This manipulation of the argument Password causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
SQL injection in Automated Voting System 1.0 allows high-privileged remote attackers to manipulate the Password parameter in /admin/update_user.php, potentially causing limited confidentiality and integrity impacts. The vulnerability requires admin-level privileges (PR:H) to exploit and has publicly available exploit code, but carries very low real-world risk due to EPSS of 0.01% and the high privilege requirement that limits practical attack surface.
Technical ContextAI
The vulnerability exists in a PHP-based voting application at the admin endpoint /admin/update_user.php. The underlying issue is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component-'Injection'), specifically SQL injection where user-supplied input from the Password parameter is not properly sanitized before being used in SQL queries. This is a classic parameterized query failure or missing input validation flaw in PHP code that constructs dynamic SQL statements without adequate escaping or prepared statement usage.
RemediationAI
No vendor-released patch identified at time of analysis. Primary mitigation is immediate upgrade to a patched version if available from the vendor (code-projects.org); however, vendor patch status is not confirmed in available data. As immediate compensating controls, restrict access to /admin/update_user.php to trusted administrative IPs only via firewall or web server access control lists-this directly mitigates the network-accessible attack vector by reducing the exposed surface. Implement parameterized SQL queries or prepared statements in the update_user.php file to neutralize SQL injection, though this requires application-level code review and remediation by the vendor or internal security team. Monitor database logs for anomalous SQL queries targeting user records, and enforce strong admin credential management (multi-factor authentication, access logging) to prevent credential compromise that would enable exploitation. Disable the update_user.php endpoint entirely if not actively used in your deployment, as the admin panel is typically not required for end-user voting functionality.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today