CVE-2025-10783 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability exists in the /admin/add_subject.php file, specifically in the handling of the 'subject_code' parameter. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, low attack complexity) and the potential for partial impact on confidentiality, integrity, and availability of the system. Although the exploit is publicly available, there are no confirmed reports of active exploitation in the wild. The vulnerability does not require privileges or user interaction, making it accessible to unauthenticated remote attackers. The weakness could allow attackers to extract sensitive data, modify or delete records, or disrupt LMS operations, impacting the integrity and availability of educational data and services.

For European organizations using Campcodes LMS version 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of educational data and administrative functions. Exploitation could lead to unauthorized disclosure of sensitive student or staff information, manipulation of course or subject data, and potential disruption of learning services. This could undermine trust in educational institutions, lead to regulatory non-compliance (e.g., GDPR violations due to data breaches), and cause operational downtime. Given the critical role of LMS platforms in remote and hybrid education models, exploitation could impact educational continuity and institutional reputation across Europe.

Organizations should immediately assess their use of Campcodes LMS version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'subject_code' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially in administrative interfaces. Restrict access to the /admin/add_subject.php endpoint via network segmentation and IP whitelisting to limit exposure. Monitor logs for suspicious database queries or unusual activity related to subject management functions. Additionally, perform regular security assessments and penetration testing focused on injection flaws to identify and remediate similar vulnerabilities proactively.