CVE-2025-12255 is a SQL injection vulnerability affecting the Online Event Judging System version 1.0 developed by code-projects. The vulnerability resides in the /add_contestant.php script, specifically in the handling of the 'fullname' parameter. An attacker can remotely exploit this flaw by injecting malicious SQL code into the 'fullname' argument, which is then executed by the backend database. This injection occurs due to insufficient input sanitization and lack of parameterized queries, allowing attackers to manipulate SQL statements. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 4.0 score is 5.3 (medium), reflecting the network attack vector, low complexity, and no privileges or user interaction needed, but with limited impact on confidentiality, integrity, and availability. Although no active exploitation has been confirmed, the public availability of exploit code increases the likelihood of attacks. The vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt service availability, depending on the database permissions and environment. The affected product is primarily used for managing event judging processes, which may contain personal data of contestants and event results, making confidentiality and integrity critical. The lack of official patches or vendor advisories necessitates immediate mitigation by users. The vulnerability highlights the importance of secure coding practices, especially input validation and the use of prepared statements to prevent SQL injection attacks.

For European organizations using the Online Event Judging System, this vulnerability poses a risk of unauthorized data access and manipulation. Potential impacts include exposure of personal data of contestants, alteration of event results, and disruption of event management services. This could lead to reputational damage, legal consequences under GDPR due to personal data breaches, and operational interruptions during critical event periods. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in environments where the system is internet-facing. Organizations involved in cultural, academic, or professional events relying on this software may face targeted attacks aiming to influence event outcomes or steal sensitive information. The medium severity score suggests moderate impact, but the public exploit availability and ease of exploitation elevate the urgency for mitigation. Additionally, compromised systems could be used as pivot points for further network intrusion, increasing the overall security risk.

1. Immediately implement input validation and sanitization on the 'fullname' parameter and any other user inputs to block malicious SQL code. 2. Refactor the /add_contestant.php script to use parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user privileges to the minimum necessary, avoiding use of high-privilege accounts for web applications. 4. Monitor logs for unusual database queries or errors indicative of injection attempts. 5. If possible, isolate the Online Event Judging System behind a web application firewall (WAF) configured to detect and block SQL injection patterns. 6. Conduct a thorough security audit of the entire application to identify and remediate other potential injection points. 7. Regularly back up databases and test restoration procedures to mitigate data loss risks. 8. Engage with the vendor or community to obtain or develop official patches or updates. 9. Educate developers and administrators on secure coding practices and the risks of SQL injection. 10. Limit external exposure of the application by restricting access to trusted networks or VPNs where feasible.