CVE-2025-5004 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Online Time Table Generator application. The vulnerability arises from improper sanitization or validation of the 'c/subname' parameter in the /admin/add_course.php script. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended SQL queries executed by the backend database. This can lead to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited over the network, making it accessible to remote attackers. The CVSS 4.0 score is 6.9, classified as medium severity, reflecting the ease of exploitation and the potential impact on confidentiality, integrity, and availability, though the impact is limited to low levels in these areas. No known exploits are currently observed in the wild, and no patches have been published yet. The vulnerability affects only version 1.0 of the product, which is a niche online timetable management tool likely used by educational institutions or organizations managing schedules. The lack of a patch and public exploit disclosure increases the risk of exploitation in unpatched environments.

For European organizations, especially educational institutions, training centers, or small businesses using the projectworlds Online Time Table Generator 1.0, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized disclosure of sensitive scheduling data, modification or deletion of course or timetable information, and potential disruption of administrative operations. Although the CVSS score suggests medium severity, the impact on confidentiality and integrity can be critical for organizations relying heavily on accurate timetable data. Moreover, attackers could leverage this vulnerability as an initial foothold to pivot into broader network compromise if the timetable system is integrated with other internal systems. Given the remote exploitability without authentication, organizations face a heightened risk if the application is exposed to the internet without proper network segmentation or additional security controls.

Organizations should immediately assess whether they are using projectworlds Online Time Table Generator version 1.0 and restrict access to the /admin/add_course.php endpoint to trusted administrators only, ideally via VPN or IP whitelisting. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'c/subname' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. If possible, migrate to a newer, patched version of the software once available or consider alternative timetable management solutions with active security support. Regularly monitor logs for suspicious activity related to the vulnerable endpoint. Network segmentation should be enforced to isolate the timetable generator from critical internal systems. Finally, organizations should prepare incident response plans to quickly address any potential exploitation.