CVE Alert: CVE-2025-10082 – SourceCodester – Online Polling System
CVE-2025-10082
A vulnerability has been found in SourceCodester Online Polling System 1.0. Affected is an unknown function of the file /admin/manage-admins.php. Such manipulation of the argument email leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection in the admin panel with public exploit disclosure increases likelihood of active abuse.
Why this matters
An attacker can manipulate the email parameter to read or modify data, potentially compromising admin accounts and sensitive poll data. In exposed deployments, this can enable data leakage, unauthorised changes to admin records, and disruption of governance workflows for polls or surveys.
Most likely attack path
Remote, unauthenticated exploitation via /admin/manage-admins.php as the injection point. No user interaction required; attacker can inject through the email parameter to trigger data exposure or modification, with potential privilege escalation if admin credentials are affected. Scope remains on the application and its database, enabling sustained impact if undetected.
Who is most exposed
Public-facing, self-hosted SourceCodester Online Polling System instances are at risk, especially in small to mid-sized organisations running older PHP/MySQL stacks with default deployments and lax input handling.
Detection ideas
- Web logs show injection patterns or error messages from the email parameter (e.g., SQL syntax errors).
- Requests containing unusual quotes or OR/UNION payloads targeting manage-admins.php.
- Increased 500/502 responses following targeted parameter abuse.
- WAF alerts for SQLi signatures on the admin endpoint.
- Anomalous admin account activity or credential changes after suspicious requests.
Mitigation and prioritisation
- Apply vendor patch or upgrade to patched version; ensure parameterised queries and prepared statements are used.
- Implement input validation and parameterised queries for the email field; disable or tightly restrict admin endpoints where feasible.
- Deploy WAF rules to block common SQLi patterns against the admin path; monitor for repeated probes.
- Audit admin accounts and monitor for suspicious changes; enforce MFA on privileged access where possible.
- Test changes in staging, then deploy with change-management oversight. If exploitation is suspected or confirmed, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
