CVE-2025-8251 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Exam Form Submission application. The vulnerability resides in the /admin/delete_s4.php file, specifically in the handling of the 'ID' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, which can lead to unauthorized database queries. This can result in unauthorized data access, data modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the backend database. The vulnerability requires no authentication or user interaction, making it highly exploitable. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. However, the impact on confidentiality, integrity, and availability is rated as low to medium, which moderates the overall severity. No official patches or mitigations have been published yet, and while no known exploits are currently in the wild, the public disclosure of the exploit code increases the risk of exploitation by threat actors.

For European organizations using the code-projects Exam Form Submission 1.0 application, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive examination data, including personal information of candidates and exam results, potentially violating GDPR and other data protection regulations. The integrity of exam records could be compromised, undermining trust in academic or certification processes. Availability could also be affected if attackers delete or corrupt data. Given the remote exploitability without authentication, attackers could leverage this vulnerability to pivot into broader network environments, especially in educational institutions or certification bodies that rely on this software. The public disclosure increases the urgency for European organizations to assess their exposure and implement mitigations promptly.

Immediate mitigation steps include restricting access to the /admin/delete_s4.php endpoint via network controls such as IP whitelisting or VPN access to limit exposure. Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the 'ID' parameter can provide temporary protection. Organizations should conduct thorough input validation and parameterized queries or prepared statements in the application code to eliminate SQL injection risks. Since no official patch is available, organizations should consider disabling or isolating the vulnerable functionality until a patch is released. Regular monitoring of logs for suspicious activity related to this endpoint is critical. Additionally, organizations should prepare incident response plans to quickly address potential exploitation attempts.