CVE-2025-14206 – This vulnerability in SourceCodester Online Stu... (How to Fix)

Q: What is the severity of CVE-2025-14206?

CVE-2025-14206 has a CVSS score of 6.5 (MEDIUM). This vulnerability in SourceCodester Online Student Clearance System 1.0 allows attackers to bypass authorization controls and delete fee records without proper authentication. The flaw exists in the /Admin/delete-fee.php file where the ID parameter can be manipulated. Any organization using this software with internet exposure is affected.

📋 TL;DR

This vulnerability in SourceCodester Online Student Clearance System 1.0 allows attackers to bypass authorization controls and delete fee records without proper authentication. The flaw exists in the /Admin/delete-fee.php file where the ID parameter can be manipulated. Any organization using this software with internet exposure is affected.

💻 Affected Systems

Products:

SourceCodester Online Student Clearance System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: The system appears vulnerable in default configuration as the flaw is in the application code itself.

📦 What is this software?

Online Student Clearance System by Senior Walter

View all CVEs affecting Online Student Clearance System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all fee records, causing data loss and disrupting financial operations of educational institutions.

🟠

Likely Case

Unauthorized deletion of fee records leading to data integrity issues and administrative disruption.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and has public exploit details available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves simple parameter manipulation and has been publicly disclosed with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider alternative software.

🔧 Temporary Workarounds

Restrict access to /Admin/ directory

all

Block external access to the vulnerable admin directory using web server configuration

# Apache: Add to .htaccess
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: Add to server block
location /Admin/ {
    deny all;
    allow 192.168.1.0/24;
}

Implement authentication middleware

all

Add proper session validation before processing delete-fee.php requests

<?php
// Add to delete-fee.php
session_start();
if (!isset($_SESSION['admin_logged_in']) || $_SESSION['admin_logged_in'] !== true) {
    header('HTTP/1.0 403 Forbidden');
    exit('Access denied');
}
?>

🧯 If You Can't Patch

Implement network segmentation to isolate the system from untrusted networks
Deploy a web application firewall (WAF) with rules to block unauthorized access to /Admin/delete-fee.php

🔍 How to Verify

Check if Vulnerable:

Test if you can access http://[target]/Admin/delete-fee.php?id=1 without proper authentication. If it returns success or processes the request, the system is vulnerable.

Check Version:

Check the software version in the admin panel or footer, or examine the source code for version markers.

Verify Fix Applied:

Attempt the same test after implementing workarounds - should receive 403 Forbidden or authentication prompt.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to /Admin/delete-fee.php from unauthorized IPs
Multiple DELETE-like operations on fee records without corresponding admin login events

Network Indicators:

HTTP requests to /Admin/delete-fee.php with ID parameter from external IPs
Unusual pattern of POST/GET requests to admin endpoints

SIEM Query:

source="web_server" AND (uri="/Admin/delete-fee.php" OR uri LIKE "%/Admin/delete-fee.php%") AND NOT (src_ip IN [admin_network_range])

📊 Metadata

CVE ID: CVE-2025-14206

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-266

EPSS Score: 0.18% exploit probability (40th percentile)

Published: December 8, 2025

Last Updated: December 9, 2025

🔗 References

https://github.com/rassec2/dbcve/issues/8 Exploit,Issue Tracking,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.334649 Permissions Required,VDB Entry
https://vuldb.com/?id.334649 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.700465 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14206, you might also want to check these: