CVE-2025-14645 identifies a SQL injection vulnerability in the Student File Management System version 1.0 developed by code-projects. The flaw exists in the /admin/delete_user.php script, where the user_id parameter is not properly sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially manipulating the backend database. The vulnerability does not require any privileges or user interaction, making it highly accessible for exploitation. The CVSS 4.0 base score is 6.9, reflecting medium severity, with attack vector as network (remote), low attack complexity, no privileges or user interaction needed, and low impact on confidentiality, integrity, and availability individually, but combined impact is notable. The vulnerability can lead to unauthorized data disclosure, modification, or deletion, which is critical in a student management context where sensitive personal and academic data is stored. No patches or official fixes are currently linked, but public exploit code is available, increasing the urgency for mitigation. The vulnerability affects only version 1.0 of the product, which may limit the scope but still poses a significant risk to organizations using this version.

For European organizations, particularly educational institutions and administrative bodies using the affected Student File Management System 1.0, this vulnerability could lead to unauthorized access to sensitive student data, including personal identification and academic records. The SQL injection could allow attackers to extract confidential information, alter or delete user records, or disrupt system availability by corrupting database contents. This compromises data confidentiality, integrity, and availability, potentially violating GDPR and other data protection regulations, leading to legal and reputational consequences. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in environments with internet-facing administrative portals. The lack of known active exploitation currently provides a window for proactive defense, but the availability of public exploit code means attackers could rapidly weaponize this vulnerability. The impact extends beyond data loss to potential operational disruption in educational services, affecting students, staff, and administrative workflows.

Organizations should immediately audit their use of the code-projects Student File Management System and identify any instances of version 1.0 in use. Since no official patch is currently available, implement the following mitigations: 1) Restrict access to the /admin/delete_user.php endpoint using network-level controls such as VPNs, IP whitelisting, or firewall rules to limit exposure to trusted administrators only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the user_id parameter. 3) Review and update the application code to use parameterized queries or prepared statements for all database interactions, especially those involving user-supplied input. 4) Implement rigorous input validation and sanitization on all parameters, particularly user_id, to reject malicious payloads. 5) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 6) Plan for an upgrade or replacement of the Student File Management System to a version without this vulnerability or an alternative product. 7) Conduct security awareness training for administrators to recognize and report suspicious activities. These steps will reduce the attack surface and mitigate the risk until an official patch is released.