EUVD-2025-17833Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability classified as critical has been found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /branch.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /branch.php file's ID parameter, allowing remote unauthenticated attackers to execute arbitrary SQL commands. The vulnerability has been publicly disclosed with proof-of-concept exploitation available, and while the CVSS score is 7.3 (High), the unauthenticated network-accessible attack vector combined with confirmed public exploit disclosure indicates active exploitation risk. This affects all deployments of the vulnerable version without patches applied.
Technical ContextAI
The vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection), which represents insufficient input validation and output encoding in SQL context. The affected application, code-projects School Fees Payment System 1.0, fails to properly sanitize or parameterize the 'ID' parameter passed to /branch.php, allowing attackers to inject malicious SQL syntax directly into database queries. The web application architecture suggests a PHP-based backend with direct SQL query construction rather than prepared statements or parameterized queries (likely MySQL/MariaDB). The attack surface is maximized by the lack of authentication requirements (PR:N in CVSS vector) and the simplicity of HTTP-based exploitation over network protocols.
RemediationAI
Immediate remediation steps: (1) Patch/Upgrade: Update code-projects School Fees Payment System to a version beyond 1.0 that implements parameterized queries or prepared statements for the /branch.php ID parameter; (2) Input Validation Workaround (if patch unavailable): Implement strict whitelist validation ensuring ID parameter contains only numeric characters before query execution (e.g., regex: ^[0-9]+$); (3) WAF Mitigation: Deploy Web Application Firewall rules to block requests containing SQL keywords (SELECT, UNION, DROP, etc.) in the ID parameter; (4) Database Hardening: Limit database user permissions to minimal required privileges (read-only for queries, no DROP/ALTER); (5) Access Control: Restrict /branch.php access via IP whitelisting or authentication layer until patched; (6) Monitoring: Enable SQL query logging and audit logs for anomalous query patterns. No official vendor patches referenced; contact code-projects support for security update availability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today