CVE-2025-9667 in Simple Grading Systeminfo

Summary

by MITRE • 08/29/2025

A vulnerability was detected in code-projects Simple Grading System 1.0. This affects an unknown part of the file /delete_account.php of the component Admin Panel. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/09/2025

The vulnerability identified as CVE-2025-9667 represents a critical sql injection flaw within the code-projects Simple Grading System version 1.0, specifically affecting the administrative panel component. This issue manifests in the /delete_account.php file where insufficient input validation allows malicious actors to manipulate the ID parameter, potentially leading to unauthorized database access and data manipulation. The vulnerability's exposure through the admin panel interface creates a significant attack surface that could be exploited by remote threat actors without requiring physical access to the system infrastructure.

The technical implementation of this vulnerability stems from improper sanitization of user-supplied input within the delete_account.php script. When the ID parameter is passed to the database query without adequate filtering or parameterization, attackers can inject malicious sql commands that bypass authentication mechanisms and execute arbitrary database operations. This flaw directly corresponds to CWE-89 which categorizes sql injection vulnerabilities as a critical security weakness in software applications. The vulnerability's remote exploitability means that threat actors can initiate attacks from external networks without requiring local system access, significantly expanding the potential attack vector and impact scope.

The operational impact of this vulnerability extends beyond simple data theft to encompass complete administrative control of the grading system database. Successful exploitation could enable attackers to delete user accounts, modify academic records, access sensitive student information, and potentially escalate privileges to gain full system control. The public availability of exploit code further amplifies the risk as it lowers the barrier to entry for potential attackers, including those with limited technical expertise. This vulnerability particularly affects educational institutions that rely on the system for managing academic data, creating potential privacy violations and data integrity issues that could have long-term consequences for both students and administrators.

Mitigation strategies for CVE-2025-9667 should prioritize immediate implementation of parameterized queries and input validation mechanisms within the affected php script. The system administrators must ensure that all user-supplied parameters are properly sanitized and validated before being processed by database operations. Additionally, implementing proper access controls and authentication mechanisms within the admin panel can limit the potential damage from successful exploitation attempts. Network-level protections such as web application firewalls and intrusion detection systems should be deployed to monitor for suspicious sql injection patterns. The remediation process should also include comprehensive code review to identify similar vulnerabilities in other components of the grading system, following security best practices outlined in the OWASP Top Ten and NIST cybersecurity guidelines. Regular security assessments and vulnerability scanning should be conducted to prevent similar issues from emerging in future system versions.

Responsible

VulDB

Disclosure

08/29/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00351

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!