CVE-2025-11062 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability exists in the /admin/save_student.php file, specifically in the handling of the 'class_id' parameter. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the underlying database. The vulnerability can be exploited remotely without any authentication or user interaction, increasing the risk of automated or widespread attacks. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, no privileges required) but limited impact on confidentiality, integrity, and availability (each rated low impact). The vulnerability has been publicly disclosed, but no known exploits are currently reported in the wild. Given the nature of the LMS, exploitation could lead to unauthorized data access or corruption of student records, course information, or administrative data, which could disrupt educational operations and compromise sensitive personal information.

For European organizations using Campcodes LMS version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of educational data. Exploitation could lead to unauthorized disclosure of student personal data, grades, and course materials, potentially violating GDPR and other data protection regulations. Integrity breaches could result in altered academic records or administrative data, undermining trust in the institution's systems. Availability impact is likely limited but could occur if database corruption or denial of service results from exploitation. The remote, unauthenticated nature of the vulnerability increases the risk of attacks originating from outside the organization, including from threat actors targeting educational institutions. This could lead to reputational damage, regulatory penalties, and operational disruption for affected European educational entities.

1. Immediate upgrade or patching: Organizations should check for and apply any official patches or updates from Campcodes addressing CVE-2025-11062. If no patch is available, consider upgrading to a newer, unaffected version of the LMS. 2. Input validation and parameterization: Review and harden the code handling the 'class_id' parameter by implementing strict input validation and using parameterized queries or prepared statements to prevent SQL injection. 3. Web application firewall (WAF): Deploy or update WAF rules to detect and block SQL injection attempts targeting the vulnerable endpoint. 4. Network segmentation and access controls: Limit access to the LMS admin interface to trusted IP addresses or VPN users to reduce exposure. 5. Monitoring and logging: Enable detailed logging of database queries and web requests to detect suspicious activity related to SQL injection attempts. 6. Incident response readiness: Prepare to respond to potential exploitation, including data integrity verification and forensic analysis. 7. Data backups: Ensure regular, secure backups of LMS databases to enable recovery in case of data corruption or loss.