CVE-2025-9666 in Simple Grading System
Summary
by MITRE • 08/29/2025
A security vulnerability has been detected in code-projects Simple Grading System 1.0. Affected by this issue is some unknown functionality of the file /delete_student.php of the component Admin Panel. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/08/2025
The vulnerability identified as CVE-2025-9666 represents a critical sql injection flaw within the code-projects Simple Grading System version 1.0, specifically affecting the administrative panel functionality. This security weakness resides in the /delete_student.php file where improper input validation allows malicious actors to manipulate the ID argument parameter. The vulnerability's classification aligns with CWE-89 which specifically addresses sql injection vulnerabilities that occur when untrusted data is incorporated into sql commands without proper sanitization or parameterization. The flaw enables attackers to execute arbitrary sql commands against the underlying database, potentially leading to complete system compromise and unauthorized data access.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with the capability to perform unauthorized database operations including data modification, deletion, and extraction of sensitive information. Remote exploitation capabilities mean that attackers can leverage this vulnerability from external networks without requiring physical access to the system, making it particularly dangerous for web applications that are publicly accessible. The disclosure of exploit code further amplifies the risk as it reduces the barrier to entry for potential attackers who may not possess advanced technical skills to develop custom exploitation methods. This vulnerability directly maps to attack techniques described in the ATT&CK framework under T1190 for exploit public-facing applications and T1071.004 for application layer protocol manipulation.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization practices within the administrative panel component. When the ID parameter is passed to the delete_student.php script without proper sanitization or parameterized queries, attackers can inject malicious sql payloads that bypass authentication mechanisms and gain unauthorized access to database resources. This flaw indicates poor secure coding practices and highlights the importance of implementing proper input validation, output encoding, and prepared statement usage in web applications. The vulnerability's presence in an administrative panel component suggests that successful exploitation could provide attackers with elevated privileges and access to sensitive student information, academic records, and potentially user credentials stored within the system's database infrastructure. Organizations should immediately implement mitigation strategies including input validation, parameterized queries, and access controls to prevent unauthorized database access while planning for comprehensive system updates to address this critical security weakness.