CVE-2025-11347 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary files to Student Crud Operation systems, leading to remote code execution. It affects all versions up to 3.3 of the Student Crud Operation software. Attackers can exploit this remotely without any authentication.

💻 Affected Systems

Products:

Student Crud Operation

Versions: All versions up to and including 3.3

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the add.php file in both Add Student Page and Edit Student Page components.

📦 What is this software?

Crud Operation System by Code Projects

View all CVEs affecting Crud Operation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

File uploads blocked or properly validated, limiting impact to denial of service or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates
2. If patch available, download and apply
3. Test functionality after update

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file upload validation in add.php

// Add to add.php before move_uploaded_file:
$allowed_extensions = ['jpg', 'png', 'pdf'];
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
    die('Invalid file type');
}

Web Server Configuration

all

Restrict execution of uploaded files in upload directory

# Apache: Add to .htaccess in upload directory
<FilesMatch "\.(php|php5|phtml|phar)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~* ^/uploads/.*\.(php|php5|phtml|phar)$ {
    deny all;
}

🧯 If You Can't Patch

Disable file upload functionality completely in add.php
Implement WAF rules to block suspicious file upload requests

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a PHP file to the add.php endpoint and check if it executes

Check Version:

Check version in software interface or configuration files

Verify Fix Applied:

Test that PHP files cannot be uploaded or executed in upload directory

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to add.php
Execution of files from upload directory
POST requests with PHP file extensions

Network Indicators:

HTTP POST requests to add.php with file uploads
Subsequent requests to uploaded files

SIEM Query:

source="web_logs" AND (uri="/add.php" AND method="POST" AND file_extension="php")

📊 Metadata

CVE ID: CVE-2025-11347

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.08% exploit probability (23.7th percentile)

Published: October 7, 2025

Last Updated: October 14, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/romatdibrohiksnov/vulndb.com/tree/main/Student-Registration-Crud-Operation%20Unauthenticated%20Arbitrary%20File%20Upload%20leads%20to%20Remote%20Code%20Execution Exploit,Third Party Advisory
https://vuldb.com/?ctiid.327232 Permissions Required,VDB Entry
https://vuldb.com/?id.327232 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.664897 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11347, you might also want to check these: