CVE Alert: CVE-2025-10076 - SourceCodester - Online Polling System

CVE-2025-10076

HIGHNo exploitation known

A weakness has been identified in SourceCodester Online Polling System 1.0. This affects an unknown function of the file /manage-profile.php. This manipulation of the argument email causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

CVSS v3.1 (7.3)

Vendor

SourceCodester

Product

Online Polling System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-08T01:02:07.399Z

Updated

2025-09-08T01:02:07.399Z

References

https://vuldb.com/?id.323024

https://vuldb.com/?ctiid.323024

https://vuldb.com/?submit.644527

https://github.com/ganzhi-qcy/cve/issues/19

https://www.sourcecodester.com/

AI Summary Analysis

Risk verdict

Publicly disclosed PoC remote SQL injection against manage-profile.php in SourceCodester Online Polling System 1.0; exploitation is unauthenticated and network-based.

Why this matters

Attackers can read or alter user-profile data exposed by the email parameter, with potential data leakage and integrity impacts. The flaw’s reach on unpatched, self-hosted deployments could enable targeted data exposure or modification without user interaction, risking confidentiality and trust in poll results.

Most likely attack path

Remote, unauthenticated attackers can exploit the SQL injection via the email parameter without UI interaction. The vulnerability relies on low attack complexity and network access, with no required privileges, and scope remains unchanged. Impacts are currently listed as low for confidentiality, integrity, and availability, but successful exploitation could yield partial DB access or data manipulation.

Who is most exposed

Typically deployed in small/medium web environments using PHP on LAMP-style stacks; common on self-hosted or hosted-offering setups with minimal hardening and delayed patching. Organisations using SourceCodester’s polling system for student, community, or member polls are most at risk.

Detection ideas

Web server logs show unusual query strings targeting manage-profile.php with crafted email values.
SQL error messages or database error traces in responses or logs.
IDS/IPS signatures for common SQLi payloads (e.g., tautologies, UNION SELECT).
WAF alerts for SQL injection patterns on the affected endpoint.
Unusual profile data access or modifications from non-admin IPs.

Mitigation and prioritisation

Patch or upgrade to fixed/versioned release; apply vendor security advisory where available.
Implement parameterised queries (prepared statements) for all database calls; validate and sanitize email input.
Enforce least-privilege DB accounts, disable unnecessary remote DB access, and sandbox DB user permissions.
Enable a robust WAF, suppress verbose error messages, and log all injection attempts with IPs.
Change-management: test in staging, back up data, schedule window for patching.
If KEV true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-10076, online-polling-system, OSINT, sourcecodester, threatintel