CVE-2025-5626 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Teacher Record Management System, specifically within the /admin/edit-subjects-detail.php file. The vulnerability arises from improper sanitization or validation of the 'editid' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the underlying database. This can lead to unauthorized data retrieval, modification, or deletion, compromising the confidentiality, integrity, and availability of sensitive teacher records managed by the system. The vulnerability does not require authentication or user interaction, making it exploitable remotely by any attacker with network access to the affected system. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the ease of exploitation (network vector, no privileges required) but limited scope and impact (low to medium impact on confidentiality, integrity, and availability). No public exploits are currently known in the wild, but the vulnerability details have been disclosed publicly, increasing the risk of exploitation. The lack of available patches or mitigation from the vendor further elevates the threat to users of this software version.

For European organizations using the Campcodes Online Teacher Record Management System 1.0, this vulnerability poses a significant risk to the security of educational data, including personal and professional information of teachers. Exploitation could lead to data breaches, unauthorized data manipulation, or disruption of educational administrative processes. This can result in regulatory non-compliance, especially under GDPR, due to exposure of personal data, leading to potential fines and reputational damage. Additionally, compromised systems could be leveraged as footholds for further attacks within educational networks. The impact is particularly critical for institutions relying heavily on this system for teacher record management without additional security controls or network segmentation.

Organizations should immediately audit their use of Campcodes Online Teacher Record Management System 1.0 and restrict access to the /admin/edit-subjects-detail.php endpoint to trusted administrators only, ideally via VPN or IP whitelisting. Implement Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the 'editid' parameter. Conduct thorough input validation and parameterized queries or prepared statements in the application code if source code access and modification are possible. Monitor logs for suspicious activity related to SQL injection attempts. If possible, isolate the affected system from critical network segments to limit lateral movement. Engage with the vendor for patch availability or consider upgrading to a newer, patched version once released. As a temporary measure, disable or restrict the vulnerable functionality if it is not essential.