CVE Alert: CVE-2025-11032 - kidaze - CourseSelectionSystem

CVE-2025-11032

HIGHNo exploitation knownPoC observed

A flaw has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. This issue affects some unknown processing of the file /Profilers/PriProfile/COUNT3s6.php. Executing manipulation of the argument CPU can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

CVSS v3.1 (7.3)

Vendor

kidaze

Product

CourseSelectionSystem

Versions

42cd892b40a18d50bd4ed1905fa89f939173a464

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-26T17:32:05.839Z

Updated

2025-09-26T17:49:58.986Z

References

https://vuldb.com/?id.325979

https://vuldb.com/?ctiid.325979

https://vuldb.com/?submit.657950

https://github.com/limingserverll-wq/cve/issues/3

AI Summary Analysis

Risk verdict

High risk: publicly released PoC enables remote SQL injection with no authentication, making exploitation feasible without user interaction.

Why this matters

An attacker could exfiltrate or tamper data, disrupt service, or pivot within the application’s data domain. The vulnerability targets a web-facing PHP endpoint, increasing exposure for educational institutions and organisations hosting student data or sensitive records.

Most likely attack path

Attacker can reach the vulnerable endpoint over the network (AV:N) with no user interaction (UI:N) and no credentials (PR:N). The attack relies on manipulating input (AC:L) to trigger SQL injection, potentially compromising confidentiality, integrity, and availability (C:L/I:L/A:L). Privilege scope remains unchanged, limiting lateral movement unless the attacker laterals through the database.

Who is most exposed

Applications with publicly reachable PHP endpoints and rolling-release deployments are at highest risk, especially those handling sensitive student or organisational data and lacking robust input validation.

Detection ideas

Monitor for unusual or crafted values targeting the CPU parameter in requests to the vulnerable endpoint.
Look for SQL error messages or database-level anomalies in application and DB logs.
Flag spikes in failed/blocked requests to the endpoint from diverse IPs.
Review web application firewall (WAF) alerts for injection-like payloads.
Correlate with signs of data access or modification inconsistent with normal use.

Mitigation and prioritisation

Apply the vendor fix or upgrade to a patched/validated release as soon as available.
Enforce parameterised queries and strong input validation; use prepared statements.
Tighten access to the endpoint: implement authentication, input whitelisting, or disable the endpoint if feasible.
Deploy WAF rules to detect injection patterns and rate-limit suspicious traffic.
Schedule urgent patching and testing in staging before production; document change-management steps. If KEV or EPSS indicators are available and ≥0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: courseselectionsystem, CVE, cve-2025-11032, kidaze, OSINT, threatintel