CVE Alert: CVE-2025-11063 - Campcodes - Online Learning Management System

CVE-2025-11063

HIGHNo exploitation known

A vulnerability was identified in Campcodes Online Learning Management System 1.0. This issue affects some unknown processing of the file /admin/edit_department.php. The manipulation of the argument d leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Online Learning Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-27T13:32:06.397Z

Updated

2025-09-27T13:32:06.397Z

References

https://vuldb.com/?id.326100

https://vuldb.com/?ctiid.326100

https://vuldb.com/?submit.659640

https://github.com/luyisi-7/CVE/issues/3

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: unauthenticated remote SQL injection with publicly available exploit creates clear exposure for data theft or alteration.

Why this matters

LMS environments often hold sensitive student and staff data; exploitation can lead to data exfiltration, tampering with course/department data, and disruption of learning operations. With a publicly available exploit, the threat landscape widens to opportunistic and automated attackers seeking quick wins or broader campaigns.

Most likely attack path

Attacker targets the internet-facing /admin/edit_department.php endpoint, supplying a crafted d parameter to trigger SQL injection.
No user interaction or authentication required; network access suffices, relying on low authentication and privilege requirements.
Possible outcomes include data leakage or modification with potential secondary access to the database; lateral movement risks are possible if DB credentials or services are exposed.

Who is most exposed

Institutions using Campcodes Online Learning Management System 1.0 deployed with publicly accessible admin interfaces, including self-hosted or hosted providers serving multiple schools or organisations.

Detection ideas

Look for SQL error messages or abnormal database errors in app logs around edit_department.php requests.
WAF/IDS alerts for SQL injection payloads targeting d parameter (typical union/select patterns, information_schema access).
Unusual spikes in traffic to the admin endpoint or failed/blocked requests from a single source.
DB slow queries or unusual query patterns tied to department data tables.

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed version if available; validate in staging before production.
Implement input validation and use prepared statements for all SQL calls; eliminate direct string concatenation.
Add compensating controls: harden the admin interface (IP allow-list, MFA for admins, disable remote admin if feasible, strong authentication).
Deploy WAF rules to block known SQLi patterns on the affected parameter; monitor for repeated attempts.
Change-management: coordinate patch window, perform integrity checks, and enable enhanced logging/monitoring post-deployment.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-11063, online-learning-management-system, OSINT, threatintel