CVE Alert: CVE-2025-10077 - SourceCodester - Online Polling System

CVE-2025-10077

HIGHNo exploitation known

A security vulnerability has been detected in SourceCodester Online Polling System 1.0. This impacts an unknown function of the file /registeracc.php. Such manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS v3.1 (7.3)

Vendor

SourceCodester

Product

Online Polling System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-08T01:32:07.706Z

Updated

2025-09-08T01:32:07.706Z

References

https://vuldb.com/?id.323025

https://vuldb.com/?ctiid.323025

https://vuldb.com/?submit.644529

https://github.com/ganzhi-qcy/cve/issues/20

https://www.sourcecodester.com/

AI Summary Analysis

Risk verdict

High risk: remote, unauthenticated SQL injection with a publicly disclosed exploit requiring urgent remediation.

Why this matters

Attacker could read or modify backend data and potentially impact poll integrity or availability. Because the vulnerability resides in a public registration endpoint, automated tooling could target multiple installations at scale, increasing blast radius across hosts using the affected version.

Most likely attack path

An attacker sends crafted input to the vulnerable registeracc.php email parameter over the network, with no authentication and low attack complexity. The injection could disclose data or corrupt records while the application scope remains at the app level, enabling data tampering without requiring user interaction or elevated privileges.

Who is most exposed

Internet-facing deployments of this PHP-based polling system, especially those with publicly accessible registration endpoints, are most at risk.

Detection ideas

Logs show SQL error messages or database warnings from registeracc.php.
Unusual or high-frequency requests containing crafted email payloads.
WAF/IPS alerts or blocked requests indicating SQL injection patterns.
Abnormal database queries or increases in failed database connections from the web layer.
IOCs or payloads aligned with public exploits referenced in advisories.

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed version as soon as available.
If patching is delayed, implement input validation and parameterised queries (avoid dynamic SQL) around the registration flow.
Enable WAF/IPS rules for SQL injection signatures; restrict access to the endpoint where feasible.
Enforce least-privilege DB accounts and rotate credentials; audit and limit DB user permissions.
Deploy in staging first; plan a rapid production patch window; set up enhanced monitoring for registration activity and SQL errors.
Note: lack of KEV/EPSS data; given public exploit and remote access, treat as high-priority remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-10077, online-polling-system, OSINT, sourcecodester, threatintel