This vulnerability affects code-projects Simple Content Management System version 1.0. It involves an SQL injection flaw in an unspecified functionality within the /web/admin/login.php file. An attacker can manipulate the User parameter to inject SQL commands remotely without requiring privileges or user interaction. The CVSS 4.0 base score is 6.9, indicating a medium severity level. No official remediation or patch is currently documented, and the vendor has not provided advisory details. Exploit code is publicly available, increasing the risk of potential attacks.

Successful exploitation allows an unauthenticated remote attacker to perform SQL injection via the User parameter in the login.php script. This could lead to unauthorized access to or manipulation of the backend database with limited confidentiality, integrity, and availability impact as indicated by the CVSS vector. There are no confirmed reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the login.php User parameter. Review and harden input validation and parameter handling in the affected application code if possible.