CVE-2025-13270 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-13270?

CVE-2025-13270 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows remote attackers to execute arbitrary SQL commands via the ID parameter in the /ajax.php?action=save_course endpoint in Campcodes School Fees Payment Management System 1.0. This affects all installations of version 1.0 that expose the vulnerable endpoint. Attackers could potentially read, modify, or delete database content.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary SQL commands via the ID parameter in the /ajax.php?action=save_course endpoint in Campcodes School Fees Payment Management System 1.0. This affects all installations of version 1.0 that expose the vulnerable endpoint. Attackers could potentially read, modify, or delete database content.

💻 Affected Systems

Products:

Campcodes School Fees Payment Management System

Versions: 1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable if the /ajax.php endpoint is accessible.

📦 What is this software?

School Fees Payment Management System by Campcodes

View all CVEs affecting School Fees Payment Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to execute arbitrary commands.

🟠

Likely Case

Unauthorized data access, manipulation of payment records, or extraction of sensitive information like student/financial data.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting damage scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize the ID parameter to accept only numeric values.

Modify /ajax.php to include: if(!is_numeric($_GET['ID'])) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns targeting the /ajax.php endpoint.

WAF-specific configuration to block patterns like UNION, SELECT, INSERT, DELETE, DROP in the ID parameter

🧯 If You Can't Patch

Restrict network access to the system using firewall rules to allow only trusted IP addresses.
Implement database user permissions with least privilege to limit potential damage from SQL injection.

🔍 How to Verify

Check if Vulnerable:

Test the /ajax.php?action=save_course endpoint with SQL injection payloads like: ID=1' OR '1'='1

Check Version:

Check system documentation or admin panel for version information; no specific command available.

Verify Fix Applied:

Test with the same payloads after implementing fixes; should return error or no database interaction.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests to /ajax.php with suspicious ID parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) in the ID parameter

SIEM Query:

source="web_logs" AND url="/ajax.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2025-13270

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11th percentile)

Published: November 17, 2025

Last Updated: November 19, 2025

🔗 References

https://github.com/ASantsSec/CVE/issues/16 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.332605 Permissions Required,VDB Entry
https://vuldb.com/?id.332605 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.690039 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13270, you might also want to check these: