CVE-2025-13286: Online Voting System SQL Injection Flaw

CVE-2025-13286 Overview

CVE-2025-13286 is a SQL injection vulnerability in itsourcecode Online Voting System 1.0. The flaw resides in the /ajax.php?action=save_user endpoint, where the ID parameter is incorporated into a database query without proper sanitization. Authenticated remote attackers can manipulate the parameter to inject arbitrary SQL statements. According to the advisory, the exploit code has been released publicly, increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability is categorized under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command) and [CWE-74] (Improper Neutralization of Special Elements in Output).

Critical Impact
Authenticated remote attackers can execute arbitrary SQL queries against the application database, leading to disclosure or modification of voter records and user credentials.

Affected Products

itsourcecode Online Voting System 1.0
Vendor: angeljudesuarez
CPE: cpe:2.3:a:angeljudesuarez:online_voting_system:1.0:*:*:*:*:*:*:*

Discovery Timeline

2025-11-17 - CVE-2025-13286 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-13286

Vulnerability Analysis

The vulnerability exists in the AJAX user-management handler at /ajax.php?action=save_user. The ID request parameter is passed directly into a SQL statement that updates or inserts user records. Because the application performs no parameterization or input validation on this value, an attacker can append SQL operators, UNION clauses, or stacked queries.

Successful exploitation enables extraction of database contents, including hashed credentials and voter information. The vulnerability requires low-level authenticated access, which is trivial in voting platforms that permit voter self-registration. Public release of the proof-of-concept lowers the technical barrier for exploitation against internet-facing instances.

Root Cause

The root cause is the absence of prepared statements or input sanitization when constructing the SQL query that processes the ID parameter inside the save_user action. User-controlled input is concatenated directly into the query string, mapping to the classic [CWE-89] anti-pattern.

Attack Vector

The attack is delivered over the network via an authenticated HTTP request to /ajax.php?action=save_user. An attacker submits a crafted ID parameter containing SQL syntax. The injected payload is executed by the back-end database engine in the context of the application's database user. Refer to the GitHub CVE Issue Discussion and VulDB #332626 for technical context.

No verified exploit code is reproduced here. The advisory confirms public availability of a proof-of-concept against the save_user action.

Detection Methods for CVE-2025-13286

Indicators of Compromise

HTTP POST or GET requests to /ajax.php?action=save_user containing SQL meta-characters such as single quotes, UNION SELECT, --, ;, or OR 1=1 in the ID parameter.
Unexpected database errors logged by the PHP application referencing the save_user handler.
Web server access logs showing repeated requests to save_user from a single source with varying ID values.

Detection Strategies

Deploy web application firewall (WAF) rules that inspect query and body parameters for SQL injection signatures targeting the /ajax.php endpoint.
Enable verbose database query logging and alert on queries containing tautologies or UNION-based extraction patterns referencing the users table.
Correlate authentication events with administrative actions on the save_user endpoint to identify low-privilege accounts performing privileged operations.

Monitoring Recommendations

Forward web server, PHP error, and database logs to a centralized analytics platform for correlation.
Monitor for anomalous response sizes from /ajax.php?action=save_user, which often indicate data exfiltration via UNION-based injection.
Track failed login attempts followed by successful authentication and subsequent requests to AJAX handlers.

How to Mitigate CVE-2025-13286

Immediate Actions Required

Restrict network exposure of the Online Voting System to trusted networks until a patch is applied.
Audit application accounts and disable any low-privilege accounts that are not strictly required.
Review database logs for evidence of prior exploitation of the save_user endpoint.

Patch Information

No official vendor patch is referenced in the advisory for itsourcecode Online Voting System 1.0. Administrators should monitor the vendor site and the GitHub CVE Issue Discussion for updated guidance. Until a fix is published, the application should be considered vulnerable.

Workarounds

Place the application behind a WAF and block requests to /ajax.php?action=save_user that contain SQL meta-characters in the ID parameter.
Modify the affected PHP code to use parameterized queries or prepared statements via PDO or mysqli for all database operations involving the ID parameter.
Apply strict server-side input validation to ensure the ID parameter accepts only numeric values.
Remove or restrict access to administrative AJAX handlers from unauthenticated and low-privilege users.

bash

# Example ModSecurity rule blocking SQLi attempts against the vulnerable endpoint
SecRule REQUEST_URI "@contains /ajax.php" \
    "chain,id:1013286,phase:2,deny,status:403,msg:'CVE-2025-13286 SQLi attempt on save_user'"
    SecRule ARGS:action "@streq save_user" \
        "chain"
        SecRule ARGS:ID "@detectSQLi" "t:none"