CVE-2025-8247 is a SQL Injection vulnerability identified in Projectworlds Online Admission System version 1.0. The vulnerability resides in the /admin.php file, specifically in the handling of the 'markof' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This flaw allows remote attackers to exploit the system without requiring user interaction or authentication, as indicated by the CVSS vector. The vulnerability has been publicly disclosed, raising the risk of exploitation, although no known active exploits have been reported in the wild yet. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation with low attack complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated low, suggesting limited but non-negligible consequences if exploited. The vulnerability likely allows attackers to read or modify data in the database, potentially leading to unauthorized data access or corruption within the admission system. Given the nature of the affected software—an online admission system—this could impact educational institutions or organizations managing admissions, potentially exposing sensitive applicant data or disrupting admission processes.

For European organizations, especially educational institutions and universities using Projectworlds Online Admission System 1.0, this vulnerability poses a risk of unauthorized data access and manipulation. Exploitation could lead to leakage of personal applicant information, including sensitive academic records or identification data, violating GDPR and other privacy regulations. Additionally, data integrity issues could disrupt admission workflows, causing operational delays or reputational damage. While the CVSS score indicates medium severity, the public disclosure increases the urgency for mitigation to prevent potential exploitation. Organizations in Europe must consider the regulatory implications of data breaches and the operational impact of compromised admission systems, which are critical for academic administration.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and sanitization on the 'markof' parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. 2) Restricting access to the /admin.php endpoint via IP whitelisting or VPN to limit exposure to trusted administrators only. 3) Conducting thorough code reviews and applying parameterized queries or prepared statements in the application code to eliminate SQL injection vectors. 4) Monitoring database logs and web server logs for suspicious queries or unusual activity related to the 'markof' parameter. 5) Planning for an urgent update or patch deployment once the vendor releases a fix. 6) Educating administrators about the risk and ensuring strong authentication and session management to reduce risk from other attack vectors. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter and access controls relevant to the affected system.