CVE Alert: CVE-2025-11347 – code-projects – Student Crud Operation
CVE-2025-11347
A vulnerability was found in code-projects Student Crud Operation up to 3.3. This vulnerability affects the function move_uploaded_file of the file add.php of the component Add Student Page/Edit Student Page. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been made public and could be used.
AI Summary Analysis
**Risk verdict**: High risk due to remote, unauthenticated arbitrary file upload that can yield remote code execution; public exploit guidance increases likelihood of opportunistic attacks.
**Why this matters**: An attacker could upload and execute a malicious script on the server, gaining control, exfiltrating data, or pivoting to other systems. The business impact includes possible downtime, data loss, and damages to trust and regulatory standing.
**Most likely attack path**: An attacker submits a crafted file via the Add Student Page/Edit Student Page without authentication (AV:N, PR:N, UI:N). The uploaded payload lands in a web-accessible area and, if not properly validated, may be executed by the server, enabling RCE with the web app’s privileges. No user interaction is required, and the impact scales with the app’s access.
**Who is most exposed**: Organisations hosting this PHP component on internet-facing stacks with writable upload directories and weak server hardening are most at risk, particularly where uploads are not isolated from the webroot or executable.
**Detection ideas**:
- New executable-looking files appearing in the uploads path shortly after upload attempts.
- PHP/Apache/Nginx error or access logs showing execution attempts of recently uploaded content.
- Unauthenticated or unusual upload requests to add.php, especially with executable extensions.
- WAF alerts for unrestricted file upload patterns or anomalous content types.
- Post-upload requests triggering server-side script execution.
**Mitigation and prioritisation**:
- Apply vendor patch or upgrade to the latest release; if unavailable, apply compensating controls immediately.
- Disable unrestricted uploads; implement strict allowlists (only non-executable types) and rename sanitisations.
- Store uploads outside the webroot and configure the server to disallow execution in the upload directory.
- Enforce authentication and strict access controls on upload endpoints; enable CSRF protection and rate limiting.
- Validate and scan uploads server-side; monitor for anomalous activity; plan staged patching and testing before production.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
