CVE-2025-12612 is a SQL injection vulnerability identified in Campcodes School Fees Payment Management System version 1.0. The vulnerability arises from improper sanitization of the 'ID' parameter in the /ajax.php?action=delete_course endpoint. An attacker can remotely send crafted requests to inject arbitrary SQL commands, potentially manipulating or extracting sensitive database information. The vulnerability requires no user interaction and no authentication but does require low privileges, indicating that an attacker with minimal access could exploit it. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public release of exploit code increases the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, and no official patches have been published yet. The flaw could allow attackers to access or modify sensitive payment and course data, leading to data breaches, financial fraud, or disruption of school fee payment processes. The vulnerability highlights the need for secure coding practices, especially input validation and parameterized queries in web applications handling sensitive financial data.

For European organizations, especially educational institutions using the Campcodes School Fees Payment Management System, this vulnerability poses a risk of unauthorized access to sensitive student and financial data. Exploitation could lead to data breaches exposing personally identifiable information (PII), financial fraud through manipulation of payment records, and disruption of fee payment services. This could damage institutional reputation, result in regulatory penalties under GDPR due to data exposure, and cause operational downtime. The medium severity indicates that while the impact is significant, it may not lead to full system compromise but can still cause substantial harm. The public availability of exploit code increases the risk of opportunistic attacks, particularly targeting schools with limited cybersecurity resources. The vulnerability could also be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities.

1. Immediately monitor network traffic and application logs for suspicious requests targeting /ajax.php?action=delete_course with unusual 'ID' parameter values. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially 'ID', using allowlists and rejecting unexpected characters. 3. Employ parameterized queries or prepared statements in the backend database interactions to prevent SQL injection. 4. Deploy a Web Application Firewall (WAF) configured to detect and block SQL injection patterns targeting the affected endpoint. 5. Restrict access to the /ajax.php endpoint to authorized users or IP ranges where feasible to reduce exposure. 6. Engage with the vendor to obtain and apply official patches or updates as soon as they become available. 7. Conduct security awareness training for administrators and developers on secure coding practices and vulnerability management. 8. Perform regular security assessments and penetration testing focusing on injection flaws in web applications. 9. Backup critical data regularly and ensure recovery plans are in place in case of data corruption or loss due to exploitation.