CVE-2025-11552 – This SQL injection vulnerability in code-projec... (How to Fix)

Q: What is the severity of CVE-2025-11552?

CVE-2025-11552 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in code-projects Online Complaint Site 1.0 allows attackers to manipulate database queries through the Category parameter in /admin/category.php. Attackers can potentially read, modify, or delete database contents remotely. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in code-projects Online Complaint Site 1.0 allows attackers to manipulate database queries through the Category parameter in /admin/category.php. Attackers can potentially read, modify, or delete database contents remotely. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

code-projects Online Complaint Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /admin/category.php endpoint to be accessible. Default installations are vulnerable.

📦 What is this software?

Online Complaint Site by Fabian

View all CVEs affecting Online Complaint Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, or potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, privilege escalation, or database manipulation leading to site defacement or data leakage.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to admin interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Apply input validation and parameterized queries to /admin/category.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for Category parameter to reject malicious SQL characters

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting /admin/category.php

🧯 If You Can't Patch

Restrict access to /admin/category.php using IP whitelisting or authentication requirements
Implement database user with minimal permissions (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test /admin/category.php with SQL injection payloads like ' OR '1'='1 in Category parameter

Check Version:

Check source code or documentation for version 1.0 reference

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts to admin interface
Suspicious Category parameter values in access logs

Network Indicators:

SQL keywords in HTTP POST requests to /admin/category.php
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/category.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "OR '1'='1")

📊 Metadata

CVE ID: CVE-2025-11552

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 9, 2025

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/QuJun1/cve/issues/4 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.327711 Permissions Required,VDB Entry
https://vuldb.com/?id.327711 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.670285 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11552, you might also want to check these: