CVE-2025-12612 is a SQL injection vulnerability identified in Campcodes School Fees Payment Management System version 1.0. The vulnerability arises from improper input validation of the 'ID' parameter in the /ajax.php?action=delete_course endpoint. This flaw allows an attacker to inject arbitrary SQL queries remotely without requiring user interaction, though low privileges are necessary to exploit it. The injection can manipulate backend database queries, potentially leading to unauthorized data retrieval, modification, or deletion. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with attack vector being network-based and low attack complexity. The vulnerability does not require authentication but does require low privileges, and it impacts confidentiality, integrity, and availability to a limited extent. No official patches have been linked yet, and no known exploits are observed in the wild, but a public exploit is available, increasing the risk of exploitation. This vulnerability primarily affects educational institutions using Campcodes School Fees Payment Management System 1.0, which may be deployed in various countries. The lack of proper input sanitization in a critical financial management module poses a significant risk to sensitive financial and personal data.

The SQL injection vulnerability in Campcodes School Fees Payment Management System 1.0 could allow attackers to remotely execute arbitrary SQL commands on the backend database. This can lead to unauthorized disclosure of sensitive student and financial data, unauthorized modification or deletion of records, and potential disruption of payment processing services. Such impacts compromise confidentiality, integrity, and availability of the system. Educational institutions relying on this system may face data breaches, financial fraud, reputational damage, and regulatory penalties. The presence of a public exploit increases the likelihood of exploitation attempts, especially by opportunistic attackers. Although the vulnerability requires low privileges, attackers who gain initial access or have limited user accounts can escalate their impact. The scope is limited to organizations using this specific version of the Campcodes system, but given the critical nature of school fee management, the consequences can be severe for affected entities.

1. Immediate mitigation should focus on input validation and sanitization of the 'ID' parameter in the /ajax.php?action=delete_course endpoint to prevent SQL injection. 2. Implement parameterized queries or prepared statements in the backend code to eliminate direct injection risks. 3. Restrict access to the vulnerable endpoint to authorized users only, enforcing strict authentication and role-based access controls. 4. Monitor logs for suspicious activities targeting the delete_course action, especially unusual SQL errors or unexpected parameter values. 5. If a patch is released by Campcodes, apply it promptly. 6. Conduct a thorough security audit of the entire application to identify and remediate other potential injection points. 7. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. 8. Educate system administrators and developers about secure coding practices to prevent similar vulnerabilities in future versions. 9. Backup critical data regularly and ensure recovery procedures are tested to mitigate potential data loss from exploitation.