CVE-2025-4482 is a SQL Injection vulnerability identified in version 1.0 of the Project Worlds Student Project Allocation System, specifically within the /change_pass/forgot_password_sql.php file. The vulnerability arises from improper sanitization of the 'Pat_BloodGroup1' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL code. This flaw allows attackers to interfere with the backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability does not require user interaction or authentication, increasing its risk profile. Although the CVSS v4.0 score is 6.9, categorized as medium severity, the impact vector includes network attack with low attack complexity and no privileges required, indicating ease of exploitation. The vulnerability may also affect other parameters, suggesting a broader input validation issue in the application. No patches or fixes have been published yet, and while no known exploits are currently in the wild, the public disclosure of the exploit code increases the likelihood of exploitation attempts.

For European organizations, especially educational institutions and universities using the Project Worlds Student Project Allocation System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive student data, including personal information and project allocations, potentially violating GDPR and other data protection regulations. The integrity of student records could be compromised, leading to manipulation or deletion of project assignments. Additionally, attackers could leverage the SQL Injection to escalate privileges or pivot within the network, threatening broader organizational IT infrastructure. The remote and unauthenticated nature of the attack vector increases the risk of widespread exploitation, potentially disrupting academic operations and damaging institutional reputations.

Organizations should immediately conduct a thorough security review of the Student Project Allocation System, focusing on input validation and sanitization mechanisms, especially for the 'Pat_BloodGroup1' parameter and other user inputs. Implement parameterized queries or prepared statements to prevent SQL Injection. If possible, restrict access to the /change_pass/forgot_password_sql.php endpoint via network controls or web application firewalls (WAFs) with rules designed to detect and block SQL Injection patterns. Monitor logs for suspicious activity related to this endpoint. Since no official patch is available, consider isolating or temporarily disabling the vulnerable functionality until a fix is released. Engage with the vendor to obtain updates or patches promptly. Additionally, conduct regular security training for developers to prevent similar vulnerabilities in future releases.