CVE-2025-14256 – CVE-2025-14256 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-14256?

CVE-2025-14256 has a CVSS score of 7.3 (HIGH). CVE-2025-14256 is an SQL injection vulnerability in itsourcecode Student Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /newcurriculm.php. This can lead to data theft, modification, or deletion. All users running the vulnerable version are affected.

📋 TL;DR

CVE-2025-14256 is an SQL injection vulnerability in itsourcecode Student Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /newcurriculm.php. This can lead to data theft, modification, or deletion. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

itsourcecode Student Management System

Versions: 1.0

Operating Systems: Any OS running PHP and MySQL/MariaDB

Default Config Vulnerable: ⚠️ Yes

Notes: Affects installations with the vulnerable /newcurriculm.php file accessible via web.

📦 What is this software?

Student Management System by Angeljudesuarez

View all CVEs affecting Student Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to student records, grade manipulation, or extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and the exploit is public.

🏢 Internal Only: MEDIUM - Still exploitable by internal users or attackers who breach the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection via ID parameter manipulation; exploit details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider applying manual fixes or workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or input validation to /newcurriculm.php to sanitize the ID parameter.

Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM curriculum WHERE id = ?'); $stmt->bind_param('i', $id);

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting /newcurriculm.php.

Add WAF rule: Block requests to /newcurriculm.php with SQL keywords in ID parameter.

🧯 If You Can't Patch

Restrict network access to the Student Management System using firewall rules to allow only trusted IPs.
Implement database user permissions with least privilege to limit potential damage from SQL injection.

🔍 How to Verify

Check if Vulnerable:

Test /newcurriculm.php with SQL injection payloads like ' OR '1'='1 in the ID parameter and check for database errors or unexpected results.

Check Version:

Check the software version in the admin panel or via file metadata; vulnerable version is 1.0.

Verify Fix Applied:

Retest with SQL injection payloads; successful fix should return no data or error messages indicating sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs for /newcurriculm.php
Multiple rapid requests to /newcurriculm.php with varying ID parameters

Network Indicators:

HTTP requests to /newcurriculm.php containing SQL keywords like UNION, SELECT, OR in parameters

SIEM Query:

source="web_logs" AND uri="/newcurriculm.php" AND (param="ID" AND value MATCHES "(?i)(union|select|or|and|')")

📊 Metadata

CVE ID: CVE-2025-14256

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: December 8, 2025

Last Updated: December 9, 2025

🔗 References

https://github.com/J0kkeR/cve/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.334762 Permissions Required,VDB Entry
https://vuldb.com/?id.334762 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702484 Third Party Advisory,VDB Entry
https://github.com/J0kkeR/cve/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14256, you might also want to check these: