CVE-2025-8372 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Exam Form Submission application. The vulnerability resides in the /admin/update_s7.php file, specifically in the handling of the 'credits' parameter. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network accessible, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been published yet. Although no known exploits are currently observed in the wild, public disclosure of the exploit code increases the risk of exploitation by threat actors. SQL Injection vulnerabilities can lead to data leakage, data corruption, or complete compromise of the backend database, depending on the database permissions and application architecture. Given the administrative context of the vulnerable script, successful exploitation could allow attackers to alter exam-related data or gain further access to the system.

For European organizations using code-projects Exam Form Submission 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of exam data and potentially other sensitive information stored in the backend database. Educational institutions or certification bodies relying on this software could face data breaches, manipulation of exam results, or disruption of exam processes. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially if the affected systems are exposed to the internet without adequate network protections. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR if personal data is involved), and operational disruption. Since the vulnerability affects administrative functionality, attackers could escalate privileges or pivot to other internal systems if proper network segmentation is not enforced. The medium CVSS score suggests moderate impact, but the critical classification by the vendor indicates that exploitation could have serious consequences depending on deployment context.

1. Immediate mitigation should include restricting external access to the /admin/update_s7.php endpoint via network controls such as firewalls or VPNs, limiting exposure to trusted internal networks only. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'credits' parameter. 3. Conduct a thorough code review and apply parameterized queries or prepared statements to sanitize and validate all inputs, especially the 'credits' parameter in the update_s7.php script. 4. If possible, upgrade to a patched version once released by the vendor or apply community-provided patches after thorough testing. 5. Monitor logs for suspicious activities related to the vulnerable endpoint and unusual database queries. 6. Educate system administrators and developers about secure coding practices to prevent similar vulnerabilities. 7. Perform regular vulnerability scanning and penetration testing focusing on SQL injection vectors in the application. 8. Consider isolating the affected application in a segmented network zone to limit lateral movement in case of compromise.