CVE-2025-5977 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects School Fees Payment System. The flaw exists in the processing of the /datatable.php file, specifically through manipulation of the 'sSortDir_0' parameter. This parameter is used in a way that allows an attacker to inject arbitrary SQL commands into the backend database query without any authentication or user interaction. The vulnerability is remotely exploitable over the network, meaning an attacker can trigger it without prior access or credentials. The injection can lead to unauthorized data disclosure, data modification, or potentially full compromise of the database and underlying system. Although the CVSS 4.0 score is 6.9 (medium severity), the lack of authentication and remote exploitability elevate the risk, especially in environments where sensitive financial and personal data are processed. No official patches or mitigations have been published yet, and while no known exploits are currently observed in the wild, the public disclosure increases the likelihood of exploitation attempts. The vulnerability impacts the confidentiality, integrity, and availability of the affected system, as attackers could extract sensitive student and payment data, alter payment records, or disrupt payment processing services.

For European organizations, especially educational institutions and financial departments managing school fee payments, this vulnerability poses a significant risk. Exploitation could lead to exposure of personally identifiable information (PII) of students and parents, financial transaction details, and internal payment records. This could result in regulatory non-compliance with GDPR due to data breaches, financial fraud, reputational damage, and operational disruption of fee collection processes. Given the critical nature of educational services and their reliance on timely fee processing, exploitation could also impact service availability, causing administrative delays and loss of trust among stakeholders. Furthermore, attackers could leverage this vulnerability as a foothold to pivot into broader internal networks, increasing the risk of wider organizational compromise.

Immediate mitigation should include implementing input validation and parameterized queries or prepared statements to prevent SQL injection in the /datatable.php file, particularly sanitizing the 'sSortDir_0' parameter. Organizations should conduct a thorough code review of the payment system to identify and remediate similar injection points. If patching is not yet available, deploying a Web Application Firewall (WAF) with custom rules to detect and block suspicious SQL injection payloads targeting this parameter can reduce risk. Network segmentation should be enforced to limit access to the payment system backend. Logging and monitoring should be enhanced to detect anomalous queries or access patterns indicative of exploitation attempts. Additionally, organizations should prepare incident response plans specific to potential data breaches involving payment systems. Finally, consider migrating to updated or alternative payment systems with active security support if remediation is delayed.