CVE-2025-10625 is a SQL Injection vulnerability identified in SourceCodester Online Exam Form Submission version 1.0. The vulnerability exists in the /user/dashboard.php?page=update_profile endpoint, specifically through the manipulation of the 'phone' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code. The injection flaw can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector. The vulnerability potentially allows attackers to execute arbitrary SQL commands on the backend database, which could lead to unauthorized data access, data modification, or even deletion. Although the CVSS score is medium (5.3), the vulnerability affects confidentiality, integrity, and availability to some extent, with low complexity of attack and no privileges required. The exploit is publicly available, increasing the risk of exploitation, although no known active exploitation in the wild has been reported yet. Other parameters in the same endpoint might also be vulnerable, suggesting a broader input validation issue in the affected application. The lack of available patches or official remediation guidance increases the urgency for organizations using this software to implement mitigations.

For European organizations using SourceCodester Online Exam Form Submission 1.0, this vulnerability poses a moderate risk. The application is likely used in educational institutions or certification bodies managing online exams and user profiles. Exploitation could lead to unauthorized access to sensitive user data, including personal information and exam-related data, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, affecting the reliability of exam results and user profiles. Availability might be impacted if attackers execute destructive SQL commands or cause database corruption. The public availability of the exploit increases the likelihood of opportunistic attacks, especially against less-secured or unpatched systems. Given the medium severity, the threat is significant but not critical; however, the potential regulatory and reputational damage for affected organizations could be substantial.

Since no official patches are currently available, European organizations should implement immediate compensating controls. First, restrict access to the vulnerable endpoint by applying web application firewall (WAF) rules that detect and block SQL injection patterns targeting the 'phone' parameter and other suspicious inputs. Input validation and sanitization should be enforced at the application level, using parameterized queries or prepared statements to prevent SQL injection. Organizations should conduct a thorough code review of the affected module to identify and remediate other vulnerable parameters. Monitoring and logging of database queries and web application traffic should be enhanced to detect anomalous activities. If feasible, isolate the affected application in a segmented network zone to limit potential lateral movement. Finally, organizations should plan for an upgrade or replacement of the vulnerable software version once a patch or secure version is released by the vendor or community.