CVE-2025-8947 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Visitor Management System, specifically affecting the /query_data.php endpoint. The vulnerability arises from improper sanitization or validation of user-supplied input in the parameters dateF and dateP, which are used in SQL queries. An attacker can manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, which may lead to exploitation attempts. The Visitor Management System is typically used to track and manage visitor access in organizations, meaning that exploitation could expose sensitive visitor data or disrupt visitor management operations.

For European organizations using the projectworlds Visitor Management System 1.0, this vulnerability poses a risk of unauthorized data disclosure, data manipulation, or disruption of visitor management processes. Compromise of visitor data could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Additionally, attackers could leverage the SQL Injection to escalate attacks within the network, potentially accessing other internal systems if database credentials or sensitive information are exposed. Operational disruption could affect physical security workflows, impacting visitor access control and safety protocols. The medium severity rating suggests a moderate but tangible risk, especially for organizations relying heavily on this system for compliance or security operations.

Organizations should immediately assess their use of projectworlds Visitor Management System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement input validation and sanitization on the dateF and dateP parameters at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads. Employ parameterized queries or prepared statements in the application code if source code access is possible. Monitor logs for unusual query patterns or repeated access to /query_data.php with suspicious parameters. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Conduct regular security assessments and penetration testing focused on injection vulnerabilities. Finally, ensure visitor data backups are maintained securely to enable recovery in case of data corruption or loss.