EUVD-2025-17818Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects School Fees Payment System 1.0 and classified as critical. This issue affects some unknown processing of the file /datatable.php. The manipulation of the argument sSortDir_0 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /datatable.php file where the sSortDir_0 parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the underlying database. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.
Technical ContextAI
The vulnerability exists in a PHP-based web application (School Fees Payment System) that uses DataTables or similar JavaScript library for server-side data rendering. The sSortDir_0 parameter is a sorting direction argument commonly used in DataTables AJAX requests. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which reflects insufficient input validation and parameterized query usage. The /datatable.php endpoint directly concatenates user-supplied sorting parameters into SQL queries without proper escaping, type casting, or prepared statement implementation. This is a classic second-order injection scenario where user input flows directly into database commands via dynamic query construction.
RemediationAI
Immediate actions: (1) Apply vendor patches - contact code-projects for security updates or migrate to patched version if available. (2) Implement Web Application Firewall (WAF) rules to block requests with SQL metacharacters in sSortDir_0 parameter (validate against whitelist: ASC or DESC only). (3) Code-level fix: Replace dynamic query construction with prepared statements using parameterized queries in /datatable.php - validate sSortDir_0 against strict whitelist of 'ASC' or 'DESC' values only before SQL incorporation. (4) Disable DataTables server-side processing if not required; use client-side sorting instead. (5) Implement strict input validation: sSortDir_0 must match regex ^(ASC|DESC)$ case-insensitively. (6) Apply principle of least privilege - database user running PHP application should have SELECT-only permissions, preventing INSERT/UPDATE/DELETE via injection. (7) Monitor database logs for suspicious queries with UNION, SLEEP(), or CAST operators.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today