Is there a public PoC exploit available for CVE-2025-12332?

Yes, a public proof-of-concept exploit is available for CVE-2025-12332. Prioritise patching immediately. EPSS: 0.0%.

SourceCodester Student Grades Management System CVE-2025-12332

Q: What is the CVSS score of CVE-2025-12332?

CVE-2025-12332 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-28 cna@vuldb.com

PHP XSS Student Grades Management System

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:34 vuln.today

DescriptionCVE.org

A flaw has been found in SourceCodester Student Grades Management System 1.0. This affects the function delete_user of the file /admin.php. Executing manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the delete_user function in /admin.php, which execute in the context of other users' browsers when they interact with affected content. The vulnerability requires user interaction and administrative privileges to exploit, resulting in low integrity impact with a CVSS score of 1.9. Publicly available exploit code exists, though the very low EPSS score (0.05%, 14th percentile) suggests limited real-world exploitation despite POC availability.

Technical ContextAI

The vulnerability exists in a PHP-based student management application developed by Remy Andrade. The flaw is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), which indicates insufficient input validation or output encoding in the delete_user function accessible through the admin panel. The attack vector is network-based (AV:N), meaning an attacker can reach the vulnerable endpoint remotely; however, exploitation requires high-level administrative privileges (PR:H) to access the /admin.php file and execute the delete_user function. The presence of user interaction requirement (UI:P) in the CVSS vector indicates that successful exploitation depends on another user (likely an administrator or victim) clicking on or viewing attacker-crafted content, which is typical for stored XSS where the malicious payload is persisted in the application database.

RemediationAI

Upgrade to a patched version if available from the vendor; however, no specific patched version has been identified in the provided references, suggesting this may be open-source software where users are responsible for applying code fixes. As an immediate workaround, restrict administrative access to the /admin.php file using web server access controls (e.g., IP whitelisting, authentication requirements beyond the application layer) to limit who can reach the vulnerable delete_user function. If the application supports it, disable the delete_user feature entirely or implement strict input validation and output encoding for all user-supplied data, particularly in administrative functions. Additionally, apply Web Application Firewall (WAF) rules to detect and block common XSS payloads in request parameters passed to /admin.php. Refer to https://www.sourcecodester.com/ for official patches or security advisories. Given the low CVSS and EPSS scores, standard change management processes are appropriate; this does not require emergency patching.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-12332 vulnerability details – vuln.today

Back

SourceCodester Student Grades Management System CVE-2025-12332

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code