CVE-2025-13468 – This vulnerability allows unauthorized deletion... (How to Fix)

Q: What is the severity of CVE-2025-13468?

CVE-2025-13468 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows unauthorized deletion of forum posts, careers, comments, gallery items, and events in SourceCodester Alumni Management System 1.0. Attackers can remotely exploit this missing authorization flaw to delete data without proper authentication. All users running the vulnerable version are affected.

📋 TL;DR

This vulnerability allows unauthorized deletion of forum posts, careers, comments, gallery items, and events in SourceCodester Alumni Management System 1.0. Attackers can remotely exploit this missing authorization flaw to delete data without proper authentication. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

SourceCodester Alumni Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the admin/admin_class.php file's delete functions when the system is deployed.

📦 What is this software?

Alumni Management System by Oretnom23

View all CVEs affecting Alumni Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete deletion of all forum content, career listings, comments, gallery items, and events, causing data loss and disruption to alumni management operations.

🟠

Likely Case

Selective deletion of important forum discussions, career opportunities, or event information, damaging the system's integrity and user trust.

🟢

If Mitigated

No impact if proper authorization checks are implemented or if the system is not internet-facing with strong network controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available on hackmd.io, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider alternative software.

🔧 Temporary Workarounds

Implement Authorization Checks

all

Add proper session validation and role-based access control to the delete functions in admin/admin_class.php

Manual code modification required - no single command

Restrict Access to Admin Functions

linux

Use web server configuration to block direct access to admin/admin_class.php from unauthorized IPs

# Apache: Add to .htaccess
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: Add to server block
location ~ /admin/admin_class\.php$ {
    allow 192.168.1.0/24;
    deny all;
}

🧯 If You Can't Patch

Deploy Web Application Firewall (WAF) with rules to block unauthorized delete requests
Implement network segmentation to isolate the system from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Review admin/admin_class.php for missing authorization checks in delete_forum, delete_career, delete_comment, delete_gallery, delete_event functions

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Test delete functions to ensure they require proper authentication and authorization

📡 Detection & Monitoring

Log Indicators:

Unusual DELETE requests to admin/admin_class.php from unauthorized IPs
Multiple delete operations in short timeframes

Network Indicators:

HTTP requests to delete endpoints without proper authentication headers

SIEM Query:

source="web_logs" AND uri="/admin/admin_class.php" AND method="POST" AND (params LIKE "%delete_forum%" OR params LIKE "%delete_career%" OR params LIKE "%delete_comment%" OR params LIKE "%delete_gallery%" OR params LIKE "%delete_event%")

📊 Metadata

CVE ID: CVE-2025-13468

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

EPSS Score: 0.07% exploit probability (20.4th percentile)

Published: November 20, 2025

Last Updated: November 21, 2025

🔗 References

https://hackmd.io/@mlgzackfly/SourceCodester Exploit,Third Party Advisory
https://vuldb.com/?ctiid.333041 Permissions Required,VDB Entry
https://vuldb.com/?id.333041 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.694826 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13468, you might also want to check these: