CVE Alert: CVE-2025-12938 – projectworlds – Online Admission System

Risk verdict

High risk: remote SQL injection with a publicly available PoC against the login endpoint; exploitation is plausible without user interaction.

Why this matters

Compromise of the admission system could expose student data, enable credential theft, or allow tampering with application status. The public PoC and remote viability raise the likelihood of automated or opportunistic attacks, with potential regulatory and reputational impact for the institution.

Most likely attack path

Attacker can target the login processing script directly over the network without authentication, sending crafted keywords to trigger a SQL injection. The vulnerability yields confidentiality, integrity, and availability impact, with no user interaction required and minimal attacker prerequisites. In CVSS terms, the preconditions imply remote access, low attack complexity, no privileges needed, and partial impact on data and service availability.

Who is most exposed

Public-facing deployment of the Online Admission System (typical web server on a standard LAMP/LEMP stack) is most at risk, especially where the login page is exposed to the Internet without compensating controls.

Detection ideas

• Repeated login attempts with unusual keyword patterns triggering errors in server logs.
• SQL error messages or database error traces visible in responses or logs.
• Anomalous queries in application logs tied to the keywords parameter.
• Sudden spikes in login failures or abnormal data extraction patterns in DB access logs.
• WAF alerts for SQLi-like payloads targeting process_login.php.

Mitigation and prioritisation

• Apply vendor patch or upgrade to fixed version; if unavailable, implement rigorous input handling and parameterised queries immediately.
• Implement WAF rules to block SQLi payloads on the login endpoint; enforce strict input validation on keywords.
• Restrict access to the login page (IP allowlists, rate limiting) and enable comprehensive monitoring of authentication traffic.
• Rotate credentials and review DB permissions; ensure database accounts used by the app have least privilege.
• Change-management: test in staging before production; document remediation steps. If KEV is true or EPSS ≥ 0.5, treat as priority 1. If EPSS data is later available and ≥ 0.5, adjust accordingly.