CVE-2025-12254 identifies a SQL injection vulnerability in the Online Event Judging System version 1.0 developed by code-projects. The vulnerability resides in the /add_judge.php endpoint, specifically in the handling of the 'fullname' parameter. Due to insufficient input validation and sanitization, an attacker can inject malicious SQL statements remotely without requiring authentication or user interaction. This injection could allow unauthorized access to the backend database, potentially exposing sensitive data, modifying judge records, or disrupting the availability of the judging system. The vulnerability is classified with a CVSS 4.0 score of 5.3 (medium severity), reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability allows partial compromise of the database. Although no active exploits have been reported in the wild, a public exploit exists, increasing the risk of exploitation. The lack of official patches or updates necessitates immediate mitigation efforts by affected organizations. The Online Event Judging System is typically used in event management contexts, making the integrity and availability of judging data critical for fair competition outcomes.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized disclosure of sensitive information stored in the judging system's database, such as personal data of judges or participants. Integrity of judging data could be compromised, potentially altering event results and damaging organizational reputation. Availability impacts could disrupt event operations, causing delays or cancellations. Organizations involved in large-scale or high-profile events are particularly at risk, as manipulation of judging outcomes could have legal and financial consequences. Additionally, the presence of a public exploit increases the likelihood of opportunistic attacks, especially against organizations that have not implemented adequate input validation or database security measures. The medium severity rating suggests that while the threat is not critical, it is significant enough to warrant prompt attention to avoid escalation or chaining with other vulnerabilities.

To mitigate this vulnerability, organizations should immediately implement strict input validation and sanitization on the 'fullname' parameter in /add_judge.php, preferably using parameterized queries or prepared statements to prevent SQL injection. If source code access is available, refactor the affected code to use secure database access libraries that enforce query parameterization. In the absence of official patches, consider deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. Conduct thorough security testing, including automated and manual penetration testing, to identify and remediate similar injection points. Additionally, restrict database user privileges to the minimum necessary to limit the impact of any successful injection. Monitor logs for suspicious activity related to the /add_judge.php endpoint and the 'fullname' parameter. Finally, plan for an update or patch from the vendor and maintain an incident response plan to quickly address any exploitation attempts.