How to fix CVE-2025-47573?

Within 24 hours: Identify all instances of mojoomla School Management in your environment and isolate them from external network access. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns, enable database activity monitoring, and begin evaluation of alternative solutions or upgrade paths with the vendor. Within 30 days: Deploy network segmentation to restrict database access, conduct forensic audit for prior compromise indicators, and develop business continuity plan for service continuity during remediation.

Is Joomla affected by CVE-2025-47573?

A critical SQL injection vulnerability in mojoomla School Management (versions through 92.0.0) allows attackers to extract sensitive data through blind SQL injection attacks without authenticated access.

CVE-2025-47573

EUVD-2025-18538 CRITICAL

2025-06-17 [email protected]

9.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18538

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

CVE Published

Jun 17, 2025 - 15:15 nvd

CRITICAL 9.3

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management allows Blind SQL Injection. This issue affects School Management: from n/a through 92.0.0.

Analysis

Blind SQL injection vulnerability in mojoomla School Management that allows unauthenticated network attackers to extract sensitive data from the application's database without direct visibility of query results. The vulnerability affects School Management versions up to 92.0.0 and carries a CVSS score of 9.3, indicating critical severity. The attack requires no user interaction, no privileges, and low complexity, making it highly exploitable in real-world scenarios.

Technical Context

The vulnerability is rooted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically manifesting as blind SQL injection. mojoomla School Management fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. Unlike classic SQL injection, blind SQL injection does not return database query results directly in the application response; instead, attackers infer data by observing conditional behavioral differences (response timing, boolean-based responses, or error-based discrepancies). The affected product is mojoomla School Management (CPE likely: cpe:2.3:a:mojoomla:school_management:*:*:*:*:*:*:*:*), versions from an unspecified baseline through 92.0.0. The vulnerability exists in input validation logic, typically in web request handlers processing student data, administrative parameters, or search/filter functions commonly found in school management portals.

Affected Products

School Management (0.0.0 through 92.0.0 (all versions up to and including 92.0.0))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2025-47573 vulnerability details – vuln.today

Back

CVE-2025-47573

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-47573

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code