Login Sign Up

CVE-2025-13557

7.3 HIGH
SQL Injection

📋 TL;DR

Campcodes Online Polling System 1.0 contains a SQL injection vulnerability in the /registeracc.php file's email parameter. This allows remote attackers to execute arbitrary SQL commands, potentially compromising the database. All users running this specific version are affected.

💻 Affected Systems

Products:
  • Campcodes Online Polling System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Online Polling System by Campcodes

View all CVEs affecting Online Polling System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database permissions allow.

🟠

Likely Case

Database information disclosure, user data extraction, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries as temporary mitigation.

🔧 Temporary Workarounds

Input Validation for Email Parameter

all

Add server-side validation to sanitize and validate email input in /registeracc.php

Modify registeracc.php to include email validation and use prepared statements

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the email parameter

Add WAF rule: Block requests with SQL keywords in email parameter

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test the /registeracc.php endpoint with SQL injection payloads in the email parameter (e.g., email=test' OR '1'='1)

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed registration attempts with suspicious email patterns

Network Indicators:

  • HTTP POST requests to /registeracc.php containing SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/registeracc.php" AND (email CONTAINS "' OR" OR email CONTAINS "UNION" OR email CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2025-13557
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (11.4th percentile)
Published: November 23, 2025
Last Updated: November 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13557, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)