CVE-2025-7557 – This critical SQL injection vulnerability in co... (How to Fix)

Q: What is the severity of CVE-2025-7557?

CVE-2025-7557 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in code-projects Voting System 1.0 allows remote attackers to manipulate database queries through the ID parameter in /admin/voters_row.php. Attackers can potentially read, modify, or delete database contents, including sensitive voter information. Organizations using this voting system software are affected.

📋 TL;DR

This critical SQL injection vulnerability in code-projects Voting System 1.0 allows remote attackers to manipulate database queries through the ID parameter in /admin/voters_row.php. Attackers can potentially read, modify, or delete database contents, including sensitive voter information. Organizations using this voting system software are affected.

💻 Affected Systems

Products:

code-projects Voting System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the admin interface at /admin/voters_row.php. Requires PHP environment with database backend.

📦 What is this software?

Voting System by Fabian

View all CVEs affecting Voting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, voter information exposure, system takeover, and potential manipulation of election results.

🟠

Likely Case

Unauthorized access to voter data, potential privilege escalation, and database manipulation affecting system integrity.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minimal data exposure.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web-accessible admin functionality.

🏢 Internal Only: MEDIUM - While still exploitable internally, attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly disclosed. Attack requires access to admin interface but SQL injection is straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative voting systems or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries and input validation for the ID parameter in voters_row.php

Modify /admin/voters_row.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM voters WHERE id = ?'); $stmt->bind_param('i', $_GET['ID']);

Access Restriction

linux

Restrict access to /admin/voters_row.php using IP whitelisting or additional authentication

Add .htaccess with: Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns targeting the ID parameter
Isolate the voting system from internet access and restrict internal network access to authorized users only

🔍 How to Verify

Check if Vulnerable:

Test the /admin/voters_row.php endpoint with SQL injection payloads like: /admin/voters_row.php?ID=1' OR '1'='1

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Test with same payloads after implementing fixes - should return error or no data rather than executing SQL

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in PHP logs
Multiple failed login attempts to admin interface
Unexpected database queries from web server

Network Indicators:

HTTP requests to /admin/voters_row.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/voters_row.php" AND (param="ID" AND value MATCHES "'.*OR.*|'.*AND.*|'.*UNION.*")

📊 Metadata

CVE ID: CVE-2025-7557

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: July 14, 2025

Last Updated: July 16, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/i-Corner/cve/issues/5 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.316255 Permissions Required,VDB Entry
https://vuldb.com/?id.316255 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.615023 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7557, you might also want to check these: