CVE-2025-2660 – This critical SQL injection vulnerability in Pr... (How to Fix)

Q: What is the severity of CVE-2025-2660?

CVE-2025-2660 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in Project Worlds Online Time Table Generator 1.0 allows remote attackers to execute arbitrary SQL commands via the 'e' parameter in /admin/index.php. This can lead to data theft, modification, or deletion. All users running version 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in Project Worlds Online Time Table Generator 1.0 allows remote attackers to execute arbitrary SQL commands via the 'e' parameter in /admin/index.php. This can lead to data theft, modification, or deletion. All users running version 1.0 are affected.

💻 Affected Systems

Products:

Project Worlds Online Time Table Generator

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. The /admin/index.php file with the 'e' parameter is vulnerable.

📦 What is this software?

Online Time Table Generator by Projectworlds

View all CVEs affecting Online Time Table Generator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data exfiltration, privilege escalation to admin, and potential system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to timetable data, user information theft, and potential database corruption.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to admin interface but SQL injection is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Apply input validation and parameterized queries to /admin/index.php. Consider migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and sanitization for the 'e' parameter in /admin/index.php

Modify /admin/index.php to validate and sanitize the 'e' parameter using prepared statements or proper escaping

Web Application Firewall

all

Deploy WAF rules to block SQL injection attempts targeting the 'e' parameter

Add WAF rule: Block requests to /admin/index.php with SQL injection patterns in 'e' parameter

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test /admin/index.php?e=1' OR '1'='1 and observe SQL error or unexpected behavior

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Test with SQL injection payloads and verify they are blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

SQL error messages in application logs
Multiple failed login attempts to admin interface
Unusual database queries from application user

Network Indicators:

HTTP requests to /admin/index.php with SQL keywords in parameters
Unusual outbound database connections

SIEM Query:

source="web_logs" AND uri="/admin/index.php" AND (param="e" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|exec|--|#|;)")

📊 Metadata

CVE ID: CVE-2025-2660

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.09% exploit probability (25.2th percentile)

Published: March 23, 2025

Last Updated: July 9, 2025

🔗 References

https://github.com/ydnd/cve/issues/8 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.300676 Permissions Required,VDB Entry
https://vuldb.com/?id.300676 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.520483 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2660, you might also want to check these: