Projectworlds Online Admission System CVE-2025-8247
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical has been found in Projectworlds Online Admission System 1.0. This affects an unknown part of the file /admin.php. The manipulation of the argument markof leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Projectworlds Online Admission System 1.0 allows authenticated remote attackers to manipulate the 'markof' parameter in /admin.php, leading to database queries with limited confidentiality and integrity impact. The vulnerability has publicly available exploit code, though actual exploitation appears limited given the low EPSS score (0.07%) and requirement for authenticated access, suggesting this affects only deployments where admin credentials are already compromised or accessible.
Technical ContextAI
The vulnerability is a SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output ('Injection')) affecting a PHP-based web application. The attack vector is the 'markof' parameter passed to /admin.php, which is processed without proper input validation or parameterized query defense. The application likely constructs dynamic SQL statements by concatenating user-supplied input directly into query strings rather than using prepared statements or stored procedures with bound parameters. This allows an attacker to break out of the intended SQL context and inject arbitrary SQL commands.
RemediationAI
No vendor-released patch identified at time of analysis. Primary mitigation requires input validation and parameterized query implementation: modify /admin.php to use prepared statements with parameterized queries for all SQL operations, particularly those processing the 'markof' parameter. Immediate compensating controls include restricting access to /admin.php to trusted IP addresses only via firewall or web application firewall (WAF) rules, implementing principle of least privilege by ensuring admin accounts use strong credentials and multi-factor authentication to reduce the likelihood of account compromise, and monitoring database query logs for anomalous SQL syntax that may indicate injection attempts. If the Online Admission System is open source or can be forked, apply the fix from the publicly disclosed POC (GitHub reference) to understand the injection point, then implement proper input sanitization. Note that these workarounds do not eliminate the underlying vulnerability but significantly reduce exploitability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today