cbcvebase.
CVE-2025-8471
published 2025-08-02

CVE-2025-8471: A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
0.60%
44.0th percentile
A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of the file /adminlogin.php. The manipulation of the argument a_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected

1 ranges
VendorProductVersion rangeFixed in
projectworldsonline_admission_system

Detection & IOCsextracted from sources · hover to see the quote

path/adminlogin.php
commandGET /adminlogin.php?a_id='/**/OR/**/1=1--
commandGET /adminlogin.php?a_id='/**/OR/**/'a'='a'--
commandGET /adminlogin.php?a_id='/**/OR/**/1=1/**/AND/**/1=1--
commandGET /adminlogin.php?a_id='/**/UNION/**/SELECT/**/NULL,NULL--
commandGET /adminlogin.php?a_id='/**/AND/**/SUBSTRING(@@version,1,1)='5'--
  • Monitor HTTP requests to /adminlogin.php where the 'a_id' parameter contains SQL comment-obfuscated payloads using /**/ as whitespace substitution (e.g., OR/**/1=1, UNION/**/SELECT, AND/**/SUBSTRING).
  • Detect SQL error strings in HTTP responses from /adminlogin.php that indicate successful injection triggering, including: 'you have an error in your sql syntax', 'warning: mysql', 'mysql_fetch_array', 'unknown column', 'sqlstate', 'ora-'.
  • The exploit uses a time-based blind technique via SELECT SLEEP(2); — detect anomalous response latency (≥2s) on requests to /adminlogin.php with SQL-like a_id parameter values.
  • The exploit tool sets a fixed Referer header of 'http://example.com' on all injection requests; this can be used as a supplementary detection signal in WAF/proxy logs.
  • The exploit writes output to a local file named 'result.log'; presence of this file on a web server host may indicate post-exploitation activity from this tool.
  • The attack is unauthenticated and remotely initiated via GET request to /adminlogin.php — no session or authentication cookie is required for exploitation.
  • ·The exploit targets specifically projectworlds Online Admission System version 1.0; the vulnerable parameter is 'a_id' in /adminlogin.php only.
  • ·The exploit uses /**/ comment blocks as whitespace substitutes to bypass naive keyword-based WAF filters; detection rules must account for this obfuscation pattern in URL-decoded parameter values.
  • ·The exploit tool supports optional cookie-file injection (--cookie flag), meaning authenticated-session variants of the attack are also possible if a valid session cookie is supplied.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.