CVE Alert: CVE-2025-11557 - projectworlds - Gate Pass Management System

CVE-2025-11557

HIGHNo exploitation known

A vulnerability has been found in projectworlds Gate Pass Management System 1.0. This issue affects some unknown processing of the file /add-pass.php. Such manipulation of the argument fullname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.1 (7.3)

Vendor

projectworlds

Product

Gate Pass Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-09T21:02:05.659Z

Updated

2025-10-09T21:02:05.659Z

References

https://vuldb.com/?id.327717

https://vuldb.com/?ctiid.327717

https://vuldb.com/?submit.671406

https://github.com/QIU-DIE/CVE/issues/6

AI Summary Analysis

Risk verdict

High risk: publicly disclosed, remote SQL injection on a web-facing component can lead to data exposure and manipulation.

Why this matters

The vulnerability enables arbitrary data retrieval and modification via unauthenticated input, potentially exposing personal and operational data. With automated tooling and a public advisory, attackers could scale exploitation, risking regulatory breach and disruption of gate-pass processes.

Most likely attack path

Attacker sends crafted requests to the add-pass.php endpoint, injecting through the fullname parameter. No user interaction or authentication is required, and the database can be queried or altered due to insufficient input handling. Given the CVSS indicators, preconditions are minimal (network access, low complexity, no privileges required) and successful abuse can yield confidentiality and integrity impacts, with possible data exposure across the back-end system.

Who is most exposed

Web-facing deployments in education, municipal, or small-to-mid enterprise environments that run gate-pass management in on-premises or hosted setups are most at risk, especially where public access isn’t adequately gated or monitored.

Detection ideas

Patterns of SQL syntax in fullname fields (e.g., UNION SELECT, comments, tautologies) in logs
SQL error messages or abnormal DB errors in web/app logs
Unusual spikes in requests to add-pass.php or erratic query latencies
WAF/IPS alerts for SQL injection payloads
DB account activity anomalies or unexpected data access patterns

Mitigation and prioritisation

Apply vendor patch or upgrade; ensure parameterised queries/prepared statements are used
Implement input validation and strict whitelisting on fullname
Enforce least-privilege DB access and segregate environments
Deploy web application firewall rules targeting SQLi patterns
Schedule patching with testing in staging; enable enhanced logging and monitoring; document a rapid rollback plan.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-11557, gate-pass-management-system, OSINT, projectworlds, threatintel

CVE Alert: CVE-2025-11557 – projectworlds – Gate Pass Management System