CVE-2025-4721 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Placement Management System, specifically affecting the /drive.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been reported in the wild yet. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with attack vector being network-based, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. The vulnerability does not require authentication, making it accessible to any remote attacker who can reach the vulnerable endpoint. Given the critical nature of SQL Injection vulnerabilities in general, this issue poses a significant risk to organizations using this software, especially if sensitive placement or candidate data is stored in the database.

For European organizations using the itsourcecode Placement Management System 1.0, this vulnerability could lead to unauthorized disclosure of sensitive personal data, including candidate information, placement records, and potentially other confidential HR or educational data. Exploitation could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could modify or delete data, disrupting placement operations and causing operational downtime. Since the vulnerability is remotely exploitable without authentication, attackers could leverage it to gain further foothold within the network, potentially escalating privileges or pivoting to other systems. The impact is particularly severe for educational institutions, recruitment agencies, or companies relying on this system for managing placement processes, as the integrity and availability of placement data are critical for their operations.

Organizations should immediately review and restrict access to the /drive.php endpoint, implementing network-level controls such as IP whitelisting or web application firewalls (WAFs) with SQL Injection detection and prevention rules tailored to the specific 'ID' parameter. Input validation and parameterized queries should be enforced in the application code to prevent injection attacks. Since no official patch is currently available, organizations should consider temporary mitigations such as disabling or restricting the vulnerable functionality if feasible. Regular monitoring of logs for suspicious SQL query patterns targeting the 'ID' parameter is recommended to detect potential exploitation attempts early. Additionally, organizations should conduct a thorough audit of database access controls and ensure that the database user account used by the application has the least privileges necessary to limit the impact of any successful injection. Finally, organizations should plan to upgrade to a patched version once released or consider alternative placement management solutions with better security track records.