CVE-2025-10627 is a medium-severity SQL Injection vulnerability identified in SourceCodester Online Exam Form Submission version 1.0. The vulnerability exists in the /admin/delete_user.php script, specifically in the handling of the 'ID' parameter. Improper sanitization or validation of this parameter allows an attacker to inject malicious SQL code remotely without requiring user interaction or authentication. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, modification, or deletion. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is low to limited (VC:L, VI:L, VA:L), suggesting partial but not full compromise of these security properties. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. The absence of patches or mitigations from the vendor at this time further elevates the risk for users of this software. Given the nature of the product—an online exam form submission system—successful exploitation could lead to unauthorized deletion or modification of user accounts, potentially disrupting exam administration and compromising user data integrity and privacy.

For European organizations using SourceCodester Online Exam Form Submission 1.0, this vulnerability poses a risk to the confidentiality and integrity of user data, including personal information of students or exam candidates. Exploitation could disrupt exam processes by deleting user accounts or altering exam-related data, leading to operational downtime and loss of trust. Educational institutions and certification bodies relying on this software may face reputational damage and potential regulatory scrutiny under GDPR if personal data is exposed or manipulated. The remote exploitability without authentication increases the threat surface, especially for publicly accessible admin interfaces. Although the CVSS score suggests medium severity, the impact on availability and integrity in critical educational contexts could be significant. Additionally, the lack of known exploits currently provides a window for mitigation before widespread attacks occur.

Organizations should immediately audit their use of SourceCodester Online Exam Form Submission 1.0 and restrict access to the /admin/delete_user.php endpoint through network controls such as IP whitelisting or VPN access. Implement Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the 'ID' parameter. Conduct thorough input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. If possible, upgrade to a patched or newer version once available from the vendor. In the interim, monitor logs for suspicious activity related to user deletion or unusual database queries. Educate administrators on the risks of exposing admin interfaces publicly and enforce strong authentication and access controls. Regular backups of user data and exam records should be maintained to enable recovery in case of data tampering or deletion.