CVE-2025-12928 identifies a SQL injection vulnerability in the code-projects Online Job Search Engine version 1.0, located in the /login.php script. The vulnerability arises from improper sanitization of input parameters 'username' and 'phone', which are directly used in SQL queries without adequate validation or parameterization. This allows remote attackers to inject malicious SQL code, potentially bypassing authentication, extracting sensitive data, or modifying database contents. The attack vector requires no authentication or user interaction, making it highly accessible to threat actors. The CVSS 4.0 score of 6.9 (medium severity) reflects the vulnerability's network attack vector, low complexity, and no privileges required, but limited scope and impact on confidentiality, integrity, and availability. Although no active exploits have been observed in the wild, the public disclosure of exploit code increases the likelihood of exploitation attempts. The vulnerability affects only version 1.0 of the product, which is used primarily by online job search platforms to manage user authentication and data. Without remediation, attackers could compromise user accounts, access personal information, or disrupt service availability. The lack of official patches necessitates immediate mitigation through secure coding practices such as prepared statements and input validation.

For European organizations operating online job search engines or platforms using the affected code-projects software, this vulnerability poses a significant risk to the confidentiality and integrity of user data, including personal identification and contact information. Exploitation could lead to unauthorized access to user accounts, data leakage, and potential manipulation or deletion of database records, undermining trust and compliance with data protection regulations such as GDPR. The availability impact is limited but could occur if attackers execute destructive SQL commands. The medium severity rating suggests moderate but tangible risks, especially for organizations lacking robust intrusion detection or input validation controls. Given the public availability of exploit code, attackers may target European job platforms to harvest personal data or disrupt services, potentially affecting recruitment processes and user privacy. The reputational damage and regulatory penalties from data breaches could be substantial. Organizations relying on this software must assess exposure and implement mitigations promptly to avoid exploitation.

1. Immediately review and update the /login.php code to implement parameterized queries or prepared statements for all database interactions involving user inputs, especially 'username' and 'phone'. 2. Apply rigorous input validation and sanitization to reject malicious input patterns before processing. 3. If official patches or updates become available from the vendor, prioritize their deployment. 4. Employ Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts targeting login parameters. 5. Monitor logs for unusual login attempts or database errors indicative of injection attempts. 6. Conduct security code reviews and penetration testing focused on input handling in authentication modules. 7. Educate developers on secure coding practices to prevent similar vulnerabilities. 8. Consider isolating or restricting access to the affected application components until mitigations are in place. 9. Backup databases regularly and ensure recovery procedures are tested to mitigate potential data loss. 10. For organizations unable to patch immediately, implement compensating controls such as strict network segmentation and enhanced monitoring.