CVE-2025-15053 – This SQL injection vulnerability in code-projec... (How to Fix)

Q: What is the severity of CVE-2025-15053?

CVE-2025-15053 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in code-projects Student Information System 1.0 allows attackers to manipulate database queries through the searchbox parameter in searchresults.php. Attackers can potentially access, modify, or delete sensitive student data. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in code-projects Student Information System 1.0 allows attackers to manipulate database queries through the searchbox parameter in searchresults.php. Attackers can potentially access, modify, or delete sensitive student data. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

code-projects Student Information System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default

📦 What is this software?

Student Information System by Fabian

View all CVEs affecting Student Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to sensitive student records (grades, personal information, contact details) and potential data exfiltration

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking malicious SQL patterns

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize searchbox parameter

Modify searchresults.php to implement parameterized queries or input sanitization

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rule: deny requests containing SQL keywords in searchbox parameter

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test searchresults.php with SQL injection payloads in searchbox parameter (e.g., ' OR '1'='1)

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Test with same payloads after implementing fixes - should return error or no data

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple rapid requests to searchresults.php with SQL keywords

Network Indicators:

HTTP requests containing SQL injection patterns in searchbox parameter

SIEM Query:

source="web_logs" AND uri="/searchresults.php" AND (searchbox CONTAINS "UNION" OR searchbox CONTAINS "SELECT" OR searchbox CONTAINS "OR '1'='1")

📊 Metadata

CVE ID: CVE-2025-15053

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (13.6th percentile)

Published: December 24, 2025

Last Updated: December 30, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/i4G5d/CRITICAL-SEVERITY-VULNERABILITY-REPORT-Widespread-SQLI Exploit,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.337859 Permissions Required,VDB Entry
https://vuldb.com/?id.337859 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.720796 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15053, you might also want to check these: