CVE-2025-10784 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability exists in the /admin/edit_subject.php file, specifically through the manipulation of the 'subject_code' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The vulnerability enables an attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. The CVSS 4.0 score of 6.9 classifies this as a medium severity issue, reflecting the ease of exploitation (network attack vector, no privileges or user interaction required) but limited scope and impact on confidentiality, integrity, and availability (each rated low to limited). Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The lack of available patches or mitigations from the vendor further elevates the urgency for organizations using this LMS to implement compensating controls. Given the LMS context, the vulnerability could expose sensitive educational data, user credentials, and institutional information, potentially impacting both students and staff.

For European organizations, particularly educational institutions and training providers using Campcodes LMS version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive academic and personal data. Exploitation could lead to unauthorized disclosure of student records, grades, and personal information, violating GDPR and other data protection regulations. Integrity violations could result in altered academic records or unauthorized changes to course content, undermining trust in the institution's systems. Although availability impact is limited, successful exploitation could disrupt administrative functions related to course management. The remote and unauthenticated nature of the attack vector means that attackers can target vulnerable systems from anywhere, increasing the threat surface. This is particularly concerning for European organizations that have integrated this LMS into their core educational infrastructure without sufficient security controls or monitoring. The public disclosure of the vulnerability may attract opportunistic attackers, increasing the likelihood of targeted attacks against European educational entities.

Since no official patches or vendor advisories are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'subject_code' parameter in /admin/edit_subject.php. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries, by implementing parameterized queries or prepared statements if possible within the LMS codebase. 3) Restricting network access to the LMS administrative interface to trusted IP addresses or VPNs to reduce exposure. 4) Monitoring logs for unusual database query patterns or repeated failed attempts indicative of injection attempts. 5) Planning for an urgent update or migration to a patched version once available, or considering alternative LMS solutions with better security track records. 6) Educating administrative users about the risks and signs of compromise. 7) Regularly backing up LMS data to enable recovery in case of data integrity attacks.