CVE-2025-9788 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester/Campcodes School Log Management System. The vulnerability exists in the /admin/admin_class.php file, specifically through the manipulation of the 'id_no' parameter. An attacker can remotely exploit this flaw without requiring any authentication or user interaction, by sending specially crafted input to the vulnerable parameter. This input is not properly sanitized or parameterized, allowing the attacker to inject arbitrary SQL commands. The consequence of successful exploitation includes unauthorized access to the backend database, which may lead to data leakage, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with characteristics such as network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploits have been observed in the wild yet, the vulnerability has been publicly disclosed, increasing the risk of exploitation attempts. The affected product is a school log management system, which likely stores sensitive student and staff information, attendance records, and possibly other administrative data. The vulnerability's exploitation could compromise the confidentiality and integrity of this data, potentially impacting the privacy of individuals and the operational integrity of educational institutions using this software.

For European organizations, particularly educational institutions using the SourceCodester School Log Management System version 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of personal data of students and staff, violating GDPR regulations and resulting in legal and financial penalties. Data integrity could be compromised, leading to falsified attendance or academic records, which could disrupt administrative processes and damage institutional trust. Availability impacts are limited but possible if attackers execute destructive SQL commands. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in environments where the system is accessible over the internet or poorly segmented networks. Given the sensitivity of educational data and the regulatory environment in Europe, the impact extends beyond technical damage to reputational and compliance consequences.

Immediate mitigation should focus on applying a vendor-supplied patch or update if available; however, no patch links are currently provided, so organizations should contact the vendor for remediation. In the interim, organizations should implement input validation and sanitization on the 'id_no' parameter at the web application firewall (WAF) or reverse proxy level to block suspicious SQL syntax patterns. Restricting access to the /admin/admin_class.php endpoint through network segmentation, IP whitelisting, or VPN access can reduce exposure. Monitoring and logging of database queries and web server logs should be enhanced to detect anomalous activities indicative of SQL injection attempts. Employing parameterized queries or prepared statements in the application code is a long-term fix to prevent injection vulnerabilities. Regular security assessments and penetration testing focused on injection flaws should be conducted. Additionally, organizations should review and tighten database user permissions to limit the potential damage from successful injection attacks.