Login Sign Up

CVE-2025-11343

7.3 HIGH
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated SQL injection in the Student Crud Operation 3.3 software via the delete.php file. Attackers can manipulate the ID parameter to execute arbitrary SQL commands, potentially leading to data deletion, modification, or extraction. Any organization using this specific version of the PHP application is affected.

💻 Affected Systems

Products:
  • Student Crud Operation
Versions: 3.3
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the delete.php file specifically. Requires PHP environment with database connectivity.

📦 What is this software?

Crud Operation System by Code Projects

View all CVEs affecting Crud Operation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data deletion, exfiltration of sensitive student information, and potential server takeover via SQL injection escalation.

🟠

Likely Case

Mass deletion of student records and unauthorized access to database contents.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit documentation exists showing mass deletion capability. Simple HTTP requests can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Manually fix delete.php by implementing parameterized queries.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to delete.php to only accept numeric IDs

Add to delete.php: if(!is_numeric($_GET['ID'])) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns targeting delete.php

WAF specific - configure to block SQL patterns in URL parameters

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules
  • Implement database user with minimal permissions (read-only where possible)

🔍 How to Verify

Check if Vulnerable:

Test delete.php with SQL injection payload: delete.php?ID=1' OR '1'='1

Check Version:

Check application files for version markers or readme.txt

Verify Fix Applied:

Test with same payload after fix - should return error or no database modification

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple DELETE operations from single IP
  • Requests to delete.php with non-numeric ID parameters

Network Indicators:

  • HTTP requests to delete.php containing SQL keywords (UNION, SELECT, DELETE)
  • Unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="*delete.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR*1*" OR query="*'*'*'")

📊 Metadata

CVE ID: CVE-2025-11343
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (16.2th percentile)
Published: October 6, 2025
Last Updated: October 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11343, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)