CVE Alert: CVE-2025-11052 – kidaze – CourseSelectionSystem
CVE-2025-11052
A security flaw has been discovered in kidaze CourseSelectionSystem 1.0/5.php. The impacted element is an unknown function of the file /Profilers/PriProfile/COUNT3s5.php. Performing manipulation of the argument csslc results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited.
AI Summary Analysis
Risk verdict
High risk of remote SQL injection exploitation, with publicly available exploit evidence; monitor and patch urgently.
Why this matters
Attackers can access and potentially exfiltrate student data or other sensitive information stored in the database, and may manipulate records if privileges permit. The vulnerability sits in a web-facing PHP component, so an automated attacker could scan for it and leverage it without user interaction.
Most likely attack path
An internet-facing request to the COUNT3s5.php endpoint triggers an SQL injection via the csslc parameter. With AV:N/AC:L/PR:N/UI:N in CVSS terms, exploitation requires no prior user authentication, and the impact can affect confidentiality, integrity, and availability within the affected scope. The attacker can enumerate data or modify results, subject to the app’s existing DB permissions.
Who is most exposed
Publicly accessible CourseSelectionSystem deployments, common in educational institutions or small organisations hosting student portals, are most at risk. Exposed web endpoints handling PHP inputs are typical attack surfaces in these environments.
Detection ideas
- Surge of unusual SQL errors or database error messages in app logs.
- Repeated requests to COUNT3s5.php with anomalous csslc payloads.
- Sudden spikes in data-limit or UNION-based query patterns.
- Unexpected reading or dumping of login/grade tables.
- Anomalous authentication or session activity corresponding to the endpoint.
Mitigation and prioritisation
- Patch to a fixed version or apply a vendor-supplied remediation; implement parameterised queries.
- Deploy WAF/IPS signatures and restrict input handling for the affected endpoint.
- Enforce least-privilege DB accounts and monitor for abnormal data access patterns.
- Code changes to input validation and error handling; remove dynamic SQL.
- Change-management: schedule a rapid patch window; test in a staging environment.
- If KEV true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
