CVE-2025-10625 is a medium-severity SQL Injection vulnerability identified in SourceCodester Online Exam Form Submission version 1.0. The vulnerability exists in the /user/dashboard.php?page=update_profile endpoint, specifically through the manipulation of the 'phone' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The vulnerability potentially extends to other parameters as well, increasing the attack surface. Exploiting this flaw could allow an attacker to execute arbitrary SQL commands on the backend database, leading to unauthorized data access, data modification, or even deletion. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently observed in the wild, the exploit code is publicly available, increasing the risk of exploitation. The absence of official patches or mitigation guidance from the vendor further exacerbates the threat.

For European organizations, particularly educational institutions and examination bodies using SourceCodester Online Exam Form Submission 1.0, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized disclosure of sensitive student data, including personal information and exam results, violating GDPR and other data protection regulations. Data integrity could be compromised, allowing attackers to alter exam submissions or user profiles, undermining the credibility of examination processes. Availability impacts, while partial, could disrupt online exam operations, causing reputational damage and operational delays. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments where the affected software is exposed to the internet. The lack of patches means organizations must rely on alternative mitigations, increasing operational overhead and risk exposure.

European organizations should immediately conduct an inventory to identify deployments of SourceCodester Online Exam Form Submission version 1.0. Given the absence of official patches, organizations should implement the following specific mitigations: 1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'phone' parameter and other input fields in the update_profile page. 2) Employ input validation and sanitization at the application or proxy level to reject suspicious input before it reaches the backend. 3) Restrict access to the affected endpoint by IP whitelisting or VPN access to limit exposure. 4) Monitor logs for unusual database queries or repeated failed attempts indicative of SQL injection attempts. 5) Consider isolating or temporarily disabling the vulnerable functionality if feasible until a vendor patch is available. 6) Plan for an upgrade or migration to a patched or alternative solution as soon as it becomes available. 7) Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom or third-party applications.