This vulnerability is a classic SQL injection (CWE-89) caused by improper handling of the 'classId' parameter in the instructorClasses.php file of the itsourcecode Online Student Enrollment System v1.0. The parameter is taken directly from the HTTP GET request and concatenated into an SQL query without any input validation or sanitization, allowing attackers to inject malicious SQL code. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting that it is remotely exploitable over the network without privileges or user interaction and can lead to complete compromise of the database's confidentiality, integrity, and availability. No patch or vendor advisory is currently available, and the affected versions are not explicitly specified beyond v1.0.

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database. This can result in unauthorized data disclosure, data modification, or deletion, and potentially full system compromise depending on the database privileges. The impact is critical due to the high CVSS score and the nature of SQL injection vulnerabilities.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to implement input validation and parameterized queries or prepared statements to prevent SQL injection. Avoid directly concatenating user input into SQL queries. Monitor for any vendor updates or patches addressing this vulnerability.