CVE-2025-8272 is a critical SQL Injection vulnerability found in version 1.0 of the code-projects Exam Form Submission application. The vulnerability resides in the /admin/update_fst.php file, specifically in the processing of the 'credits' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This flaw allows remote attackers to perform unauthorized database queries without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts confidentiality, integrity, and availability of the affected system's data, as attackers can read, modify, or delete sensitive exam-related information stored in the database. Although the CVSS score is 6.9 (medium severity), the description rates it as critical due to the potential consequences of SQL injection attacks. No patches or mitigations have been publicly disclosed yet, and there is no known exploit in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability is exploitable remotely, making it a significant threat to organizations using this software for exam form management.

For European organizations using code-projects Exam Form Submission 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive student and exam data, potentially violating GDPR regulations concerning personal data protection. Data integrity could be compromised, affecting the reliability of exam records and administrative processes. Availability of the exam submission system could also be disrupted, impacting educational institutions' operations. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially in institutions with internet-facing administrative portals. The reputational damage and potential regulatory fines resulting from data breaches could be substantial. Additionally, attackers could leverage this vulnerability as a foothold for further network compromise within educational or governmental institutions.

Immediate mitigation steps include implementing input validation and parameterized queries or prepared statements in the /admin/update_fst.php script to prevent SQL injection. Organizations should conduct a thorough code review of the affected module and related components to identify and remediate similar injection points. Network-level protections such as web application firewalls (WAFs) should be configured to detect and block SQL injection attempts targeting the 'credits' parameter. Restricting access to the /admin/ directory via IP whitelisting or VPN access can reduce exposure. Monitoring and logging of database queries and web application logs should be enhanced to detect suspicious activities. Since no official patch is available, organizations should consider isolating or temporarily disabling the vulnerable functionality until a fix is released. Regular backups of the database are essential to enable recovery in case of data tampering or loss.