CVE Alert: CVE-2025-11530 – code-projects – Online Complaint Site
CVE-2025-11530
A weakness has been identified in code-projects Online Complaint Site 1.0. Affected is an unknown function of the file /cms/admin/state.php. This manipulation of the argument state causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
Moderate risk: a publicly disclosed PoC for a remote SQL injection in the admin area exists, enabling exploitation with relatively low effort, though the overall impact to confidentiality, integrity and availability remains limited.
Why this matters
Successful exploitation could allow an attacker to read or modify database contents and potentially affect admin-facing workflows. The PoC presence increases the likelihood of targeted attempts, and public availability lowers the barrier for opportunistic attacks, especially if admin interfaces are reachable from the internet.
Most likely attack path
An attacker with access to the admin interface or compromised credentials targets the state parameter in /cms/admin/state.php. The vulnerability permits remote SQL injection with low attack complexity, potentially exfiltrating data or tampering records; additional footholds would be needed for broader impact due to the low scope of the CVSS impacts and lack of admin-level privileges in the base vector.
Who is most exposed
Systems hosting the Online Complaint Site with exposed or poorly protected admin panels are at greatest risk—common in small-to-mid-sized deployments on shared or internet-facing PHP stacks without strong authentication or MFA.
Detection ideas
- Unexpected query patterns or errors in web/app logs for state.php
- Unusual spikes in read/write DB activity from admin IPs
- Repeated access to /cms/admin/state.php with varied state parameters
- alerting on failed/admin login bursts
- WAF/IDS alerts for SQL-like payloads aiming at state parameter
Mitigation and prioritisation
- Apply patched version or vendor fix; if unavailable, enforce input validation and parameterised queries around state.php
- Restrict admin interface exposure (IP allowlisting, VPN/MFA for admin accounts)
- Enable MFA for all admin logins; enforce least privilege
- Improve logging and alerting for admin actions and SQL errors; conduct credential hygiene
- Plan a formal patch window; document change-management steps
- Noting PoC presence, treat as medium priority; monitor for exploitation attempts
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
