CVE-2025-10782 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The flaw resides in an unspecified function within the /admin/class.php file, where improper sanitization or validation of the 'class_name' parameter allows an attacker to inject malicious SQL code. This vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). Exploiting this flaw could enable an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even deletion. The CVSS 4.0 base score of 6.9 classifies this as a medium severity issue, reflecting a significant risk but with some limitations in impact scope (low confidentiality, integrity, and availability impacts). The vulnerability is publicly known, and although no confirmed exploits in the wild have been reported yet, the public availability of exploit code increases the risk of exploitation. The absence of available patches or mitigation links suggests that users of Campcodes LMS 1.0 must proactively implement defensive measures to reduce exposure. Given the LMS context, the vulnerability could compromise sensitive educational data, user credentials, and institutional records if exploited.

For European organizations, especially educational institutions, training providers, and corporate learning departments using Campcodes LMS 1.0, this vulnerability poses a tangible threat to data confidentiality and integrity. Exploitation could lead to unauthorized disclosure of student or employee information, manipulation of course content or grades, and disruption of learning services. Such incidents could result in regulatory non-compliance under GDPR due to personal data breaches, reputational damage, and operational downtime. The remote, unauthenticated nature of the attack vector increases the likelihood of exploitation attempts, particularly in environments where the LMS is internet-facing without adequate network segmentation or web application firewalls. Additionally, the lack of patches means organizations must rely on compensating controls, which may not fully mitigate risk. The medium severity rating indicates that while the vulnerability is serious, it may not lead to full system compromise or widespread service outages, but targeted data breaches or localized disruptions remain probable.

Organizations should immediately conduct an inventory to identify any deployments of Campcodes LMS version 1.0. In the absence of an official patch, the following specific mitigations are recommended: 1) Implement strict input validation and sanitization on the 'class_name' parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. 2) Employ parameterized queries or prepared statements if source code access and modification are possible to remediate the root cause. 3) Restrict administrative interface access to trusted IP addresses or via VPN to reduce exposure. 4) Monitor web server and database logs for unusual query patterns or injection attempts targeting 'class_name'. 5) Conduct regular backups of LMS data to enable recovery in case of data tampering. 6) Consider isolating the LMS environment within a segmented network zone with strict egress and ingress filtering. 7) Educate administrators about the vulnerability and encourage prompt reporting of suspicious activity. 8) Engage with the vendor for updates or patches and plan for an upgrade path to a secure LMS version once available.