CVE Alert: CVE-2025-10784 – Campcodes – Online Learning Management System
CVE-2025-10784
A security vulnerability has been detected in Campcodes Online Learning Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_subject.php. The manipulation of the argument subject_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection in the admin function with a publicly available PoC increases exploitation likelihood on exposed deployments.
Why this matters
Direct database access from unauthenticated requests can expose or corrupt subject data and related records, with potential data leakage, integrity faults, and reputational impact for organisations using the LMS. Attackers could aim to exfiltrate student records, modify course content, or escalate within the application to broader access.
Most likely attack path
An attacker potrebbe exploit the subject_code parameter in /admin/edit_subject.php via crafted input, without any user interaction, to trigger a SQL injection. If the admin interface is internet-facing, the attacker can run arbitrary queries to read or modify data within the database. With Scope as U and low-granularity impacts, the attacker’s access remains confined to the application’s data layer but can still enable meaningful data theft or tampering.
Who is most exposed
Institutions running the LMS in publicly reachable environments or with poorly protected admin panels—particularly smaller, self-hosted deployments—are most at risk.
Detection ideas
- Logs showing unusual or failed SQL queries linked to subject_code.
- Anomalous reads/writes to subject/course tables.
- Unexpected 1=1-style payloads or union-based injections in web traffic.
- WAF alerts for SQLi patterns targeting admin endpoints.
- CTI indicators for public PoC activity.
Mitigation and prioritisation
- Apply patch/upgrade to a fixed version; ensure parameterised queries and prepared statements are used.
- Refactor edit_subject.php input handling; implement strict whitelisting for subject_code.
- Restrict admin panel access (IP allowlists, VPN, MFA) and disable remote exposure where feasible.
- Strengthen DB permissions for the web app user; enable comprehensive query logging and alerting.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. Consider adopting any compensating controls from the service desk or change-management notes as a temporary measure.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
