CVE-2025-11110 identifies a SQL injection vulnerability in Campcodes Online Learning Management System version 1.0, specifically within the /admin/school_year.php script. The vulnerability arises from improper sanitization of the 'school_year' parameter, which is directly used in SQL queries without adequate validation or parameterization. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially extracting sensitive data, modifying database contents, or disrupting service availability. The attack vector requires no user interaction and no privileges, making it highly accessible. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the attack complexity is low and no authentication is required, but the impact on confidentiality, integrity, and availability is limited to low. Although no active exploits have been observed in the wild, the public release of exploit code increases the likelihood of attacks. The vulnerability affects only version 1.0 of the Campcodes LMS, which is used primarily by educational institutions for managing school years and related data. The lack of official patches or vendor advisories at the time of publication necessitates immediate defensive measures by administrators. The vulnerability could be leveraged to access student records, administrative data, or manipulate academic year configurations, posing risks to data privacy and operational continuity.

For European organizations, particularly educational institutions using Campcodes LMS 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive academic and administrative data. Exploitation could lead to unauthorized disclosure of student information, alteration of academic records, or disruption of LMS availability, impacting educational operations. Given the remote, unauthenticated nature of the attack, threat actors could easily target multiple institutions across Europe. The public availability of exploit code further elevates the threat landscape, increasing the risk of automated or opportunistic attacks. Institutions in countries with high adoption of Campcodes LMS or with large e-learning deployments are at greater risk. Beyond direct data compromise, successful exploitation could damage institutional reputations and lead to regulatory penalties under GDPR due to data breaches. The medium severity rating suggests that while the impact is serious, it may not result in complete system takeover or widespread service disruption without additional vulnerabilities or misconfigurations.

Immediate mitigation steps include implementing strict input validation and sanitization for the 'school_year' parameter in /admin/school_year.php, preferably by refactoring the code to use parameterized queries or prepared statements to prevent SQL injection. If source code modification is not immediately feasible, deploying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection patterns targeting this parameter can reduce exposure. Network segmentation should isolate the LMS administrative interface to trusted networks only, limiting remote attack vectors. Monitoring database logs and application logs for anomalous queries or repeated failed attempts can provide early detection of exploitation attempts. Organizations should engage with Campcodes for official patches or updates and apply them promptly once available. Regular security assessments and penetration testing focused on input validation should be conducted to identify similar vulnerabilities. Additionally, backing up LMS data securely and regularly ensures recovery capability in case of data corruption or loss.