CVE-2025-10627 is a medium-severity SQL Injection vulnerability identified in SourceCodester Online Exam Form Submission version 1.0. The vulnerability exists in the /admin/delete_user.php script, specifically involving the manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw by injecting malicious SQL code through the 'ID' argument without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, as the injected SQL commands can lead to unauthorized data disclosure, data modification, or deletion. The CVSS score of 5.3 reflects a medium risk, primarily because some privileges are required (PR:L), and the impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L). No patches or fixes have been disclosed yet, and no known exploits are currently active in the wild. However, the public disclosure of the exploit code increases the risk of future exploitation. The vulnerability affects only version 1.0 of the product, which is a web-based application used for managing online exam form submissions, likely deployed in educational or training institutions. The lack of secure coding practices in input validation and sanitization in the delete_user.php file is the root cause of this SQL injection issue.

For European organizations, especially educational institutions, training centers, and certification bodies using SourceCodester Online Exam Form Submission 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive user data, including personal information of students or exam candidates. Attackers could manipulate or delete user records, potentially disrupting exam administration and causing reputational damage. Additionally, the injection could be leveraged to escalate attacks within the network, compromising backend databases and connected systems. Given the remote exploitability without user interaction, attackers can automate attacks, increasing the risk of widespread compromise. The impact on data privacy is critical under GDPR regulations, exposing organizations to legal and financial penalties if personal data is leaked or manipulated. The medium severity score suggests that while the vulnerability is serious, exploitation requires some level of privilege, which might limit immediate risk but does not eliminate it.

Organizations should immediately audit their use of SourceCodester Online Exam Form Submission 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement the following mitigations: 1) Apply strict input validation and sanitization on the 'ID' parameter in /admin/delete_user.php to ensure only valid numeric or expected values are accepted. 2) Employ parameterized queries or prepared statements to prevent SQL injection attacks. 3) Restrict access to the /admin/delete_user.php endpoint to trusted administrators only, using network-level controls such as IP whitelisting or VPN access. 4) Monitor web server and database logs for unusual or suspicious queries targeting the 'ID' parameter. 5) Conduct a thorough security review of the entire application to identify and remediate similar injection flaws. 6) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting this endpoint. 7) Educate administrators about the risks and signs of exploitation to enable rapid incident response.