CVE-2025-14645 identifies a SQL injection vulnerability in the code-projects Student File Management System version 1.0, located in the /admin/delete_user.php script. The vulnerability arises from improper sanitization of the user_id parameter, which is directly incorporated into SQL queries without adequate validation or use of parameterized statements. This allows remote attackers to inject malicious SQL code, potentially enabling unauthorized access to the backend database, data exfiltration, modification, or deletion of records. The attack vector is network accessible without requiring authentication or user interaction, making exploitation straightforward. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the lack of required privileges and user interaction but acknowledging the limited scope and impact on confidentiality, integrity, and availability. No patches or vendor advisories are currently available, and no active exploitation has been reported, though a public exploit exists, increasing the risk of future attacks. The vulnerability primarily threatens the confidentiality and integrity of student data managed by the system, as well as the availability of administrative functions. The lack of scope change indicates the impact is confined to the vulnerable application instance. This vulnerability underscores the importance of secure coding practices, particularly input validation and use of prepared statements in web applications managing sensitive educational data.

For European organizations, particularly educational institutions using the code-projects Student File Management System, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of sensitive student information, including personal and academic records, violating data protection regulations such as GDPR. Integrity of data could be compromised, allowing attackers to alter or delete user records, potentially disrupting administrative operations. Availability of the system could also be affected if attackers execute destructive SQL commands. The remote, unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments with exposed administrative interfaces. This could result in reputational damage, legal liabilities, and operational downtime. Given the critical role of educational data and compliance requirements in Europe, organizations must treat this vulnerability seriously to prevent data breaches and maintain trust.

Immediate mitigation steps include conducting a thorough code audit of the /admin/delete_user.php script to identify and remediate unsafe SQL query constructions. Replace dynamic SQL queries with parameterized prepared statements or stored procedures to prevent injection. Implement strict input validation and sanitization on the user_id parameter to accept only expected formats (e.g., numeric IDs). Restrict access to administrative endpoints via network controls such as VPNs, IP whitelisting, or multi-factor authentication to reduce exposure. Monitor logs for suspicious activities targeting the user_id parameter or delete_user.php endpoint. Since no official patch is available, consider isolating or disabling the vulnerable functionality until a secure update is released. Educate developers on secure coding practices to prevent similar vulnerabilities. Finally, maintain up-to-date backups of critical data to enable recovery in case of compromise.