CVE-2025-12254 identifies a SQL injection vulnerability in the Online Event Judging System version 1.0 developed by code-projects. The vulnerability is located in the /add_judge.php script, specifically in the handling of the 'fullname' parameter. Due to insufficient input validation and lack of parameterized queries, an attacker can inject crafted SQL commands remotely without authentication or user interaction. This injection can manipulate backend SQL queries, potentially allowing attackers to read, modify, or delete database records, escalate privileges, or execute administrative operations on the database. The CVSS 4.0 score is 5.3 (medium), reflecting the network attack vector, low complexity, no required privileges, and no user interaction, but limited scope and impact on confidentiality, integrity, and availability. No patches or vendor advisories are currently available, and no exploits are confirmed in the wild, though a public exploit exists. The vulnerability poses a risk to organizations relying on this system for managing event judges and scoring, as it could lead to data breaches or disruption of event operations.

For European organizations using the Online Event Judging System, this vulnerability could result in unauthorized access to sensitive judging data, manipulation of event results, or exposure of personal information of judges and participants. This could undermine the integrity of competitions or events, damage organizational reputation, and lead to regulatory compliance issues under GDPR if personal data is compromised. The ability to remotely exploit the vulnerability without authentication increases the risk of widespread attacks, especially in sectors heavily reliant on event management software such as education, sports, and cultural organizations. Disruption or data tampering could also affect contractual obligations and stakeholder trust. The medium CVSS score indicates moderate risk, but the availability of a public exploit elevates the urgency for mitigation.

Organizations should immediately implement input validation and sanitization on the 'fullname' parameter in /add_judge.php, preferably by adopting parameterized queries or prepared statements to prevent SQL injection. If source code modification is not feasible, deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection patterns targeting this endpoint can provide interim protection. Restricting access to the /add_judge.php endpoint to trusted IP addresses or VPN users can reduce exposure. Regularly monitoring logs for suspicious activity related to this parameter is advised. Organizations should also engage with the vendor for patches or updates and plan for timely application once available. Conducting security assessments on other input parameters and related modules is recommended to identify similar weaknesses. Finally, ensure backups of critical data are current to enable recovery in case of compromise.