CVE-2025-14222 – CVE-2025-14222 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-14222?

CVE-2025-14222 has a CVSS score of 6.3 (MEDIUM). CVE-2025-14222 is a SQL injection vulnerability in code-projects Employee Profile Management System 1.0 that allows attackers to manipulate database queries through the per_id parameter in /print_personnel_report.php. This can lead to unauthorized data access, modification, or deletion. Organizations using this specific software version are affected.

📋 TL;DR

CVE-2025-14222 is a SQL injection vulnerability in code-projects Employee Profile Management System 1.0 that allows attackers to manipulate database queries through the per_id parameter in /print_personnel_report.php. This can lead to unauthorized data access, modification, or deletion. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

code-projects Employee Profile Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with the vulnerable file accessible via web server is affected. No special configuration required.

📦 What is this software?

Employee Profile Management System by Carmelogarcia

View all CVEs affecting Employee Profile Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, or full system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive employee data (personal information, salaries, etc.) and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to specific tables.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider implementing workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameter validation and sanitization to the per_id parameter in print_personnel_report.php

Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM personnel WHERE id = ?'); $stmt->bind_param('i', $per_id);

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule: Block requests to /print_personnel_report.php with SQL keywords in per_id parameter

🧯 If You Can't Patch

Isolate the system from internet access and restrict internal access to authorized users only.
Implement database-level controls: restrict application database user permissions to minimum required operations.

🔍 How to Verify

Check if Vulnerable:

Test the /print_personnel_report.php endpoint with SQL injection payloads in the per_id parameter (e.g., per_id=1' OR '1'='1). Monitor for database errors or unexpected responses.

Check Version:

Check the software version in the application interface or configuration files. Look for version 1.0 in the source code or documentation.

Verify Fix Applied:

After implementing fixes, retest with the same SQL injection payloads. Verify that input is properly sanitized and no database errors are returned.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests to /print_personnel_report.php with suspicious per_id values
Database query logs showing unexpected SQL patterns

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in URL parameters
Unusual traffic patterns to the vulnerable endpoint

SIEM Query:

source="web_server" AND uri="/print_personnel_report.php" AND (param="per_id" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|'|;)")

📊 Metadata

CVE ID: CVE-2025-14222

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11th percentile)

Published: December 8, 2025

Last Updated: December 10, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/tiancesec/CVE/issues/14 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.334664 Permissions Required,VDB Entry
https://vuldb.com/?id.334664 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.701636 Third Party Advisory,VDB Entry
https://github.com/tiancesec/CVE/issues/14 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14222, you might also want to check these: