CVE-2025-15140 identifies a SQL injection vulnerability in the saiftheboss7 onlinemcqexam application, affecting versions up to commit 0e56806132971e49721db3ef01868098c7b42ada. The vulnerability exists in the /admin/quesadd.php script, where the parameters ans1 and ans2 are not properly sanitized before being used in SQL queries. This allows a remote attacker to inject arbitrary SQL code without requiring authentication or user interaction, potentially leading to unauthorized data disclosure, data manipulation, or denial of service. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, increasing the risk profile. The vendor follows a rolling release strategy but has not responded to vulnerability reports, and no patches or mitigations have been published. The CVSS 4.0 score is 6.9 (medium severity), reflecting the significant impact on confidentiality, integrity, and availability with ease of exploitation. The public disclosure of exploit code increases the likelihood of exploitation despite no known active attacks currently. The lack of vendor response and patch availability necessitates immediate defensive measures by users of this software.

For European organizations using the onlinemcqexam platform, this vulnerability poses a significant risk of unauthorized access to sensitive examination data, user credentials, and administrative controls. Exploitation could lead to data breaches compromising student or employee information, manipulation of exam content or results, and potential disruption of examination services. This could damage organizational reputation, violate data protection regulations such as GDPR, and result in financial penalties. Educational institutions, certification bodies, and training providers relying on this software are particularly vulnerable. The ability to exploit remotely without authentication increases the attack surface, potentially allowing widespread attacks if the software is internet-facing. The absence of vendor patches means organizations must rely on internal mitigations to prevent exploitation.

Organizations should immediately implement strict input validation and sanitization for the ans1 and ans2 parameters in the /admin/quesadd.php script, ideally by applying parameterized queries or prepared statements to prevent SQL injection. If source code modification is not feasible, deploy web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting these parameters. Restrict access to the /admin/ directory by IP whitelisting or VPN-only access to reduce exposure. Monitor logs for suspicious query patterns or repeated access attempts to the vulnerable endpoint. Conduct thorough security assessments of the onlinemcqexam deployment and consider isolating the database backend from direct web access. Engage with the vendor or community to track patch releases or updates. Finally, ensure regular backups of critical data to enable recovery in case of compromise.