CVE-2025-13568 Overview
CVE-2025-13568 is a SQL injection vulnerability in itsourcecode COVID Tracking System 1.0, a PHP-based web application distributed by angeljudesuarez. The flaw exists in the /admin/?page=people endpoint, where the ID parameter is passed directly into a database query without proper sanitization. An authenticated attacker with low privileges can manipulate the ID argument to inject arbitrary SQL statements. The attack can be executed remotely over the network. A public exploit description has been disclosed, increasing the likelihood of opportunistic abuse against exposed instances. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Injection).
Critical Impact
Authenticated attackers can read, modify, or delete records in the COVID Tracking System database by injecting SQL through the ID parameter on the people administration page.
Affected Products
- itsourcecode COVID Tracking System 1.0
- angeljudesuarez:covid_tracking_system:1.0 (CPE)
- PHP deployments using the affected /admin/?page=people handler
Discovery Timeline
- 2025-11-23 - CVE-2025-13568 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-13568
Vulnerability Analysis
The vulnerability resides in the administrative page handler reached through /admin/?page=people. The ID request parameter flows into a SQL query without parameterization or input validation. An attacker authenticated to the admin interface can append SQL syntax to the ID value to alter query logic, extract data with UNION SELECT payloads, or perform boolean and time-based blind injection. Because the application targets a backend storing personal health-tracking records, successful exploitation exposes sensitive personal information. The issue is classified under CWE-89, reflecting the absence of prepared statements. The EPSS estimate places near-term exploitation probability at the lower end of the spectrum, but the public disclosure on GitHub provides enough detail for direct reproduction.
Root Cause
The root cause is the direct concatenation of the ID GET parameter into a SQL statement within the people admin module. The application does not use prepared statements, parameter binding, or type casting. There is no allow-list validation that constrains ID to numeric input before it reaches the query layer.
Attack Vector
Exploitation requires network access to the admin interface and a valid low-privilege admin session. The attacker issues a crafted HTTP request to /admin/?page=people&ID=<payload>, where <payload> contains SQL metacharacters such as single quotes, UNION SELECT, or conditional SLEEP() constructs. The server returns query results, error messages, or timing differences that the attacker uses to enumerate database contents.
// Conceptual request pattern - no verified PoC published
GET /admin/?page=people&ID=1' UNION SELECT username,password FROM users-- -
Detection Methods for CVE-2025-13568
Indicators of Compromise
- HTTP requests to /admin/?page=people containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the ID parameter.
- Web server or PHP error logs referencing MySQL syntax errors tied to the people page.
- Anomalous outbound data volume from the database server following requests to the admin endpoint.
- Authentication events for admin accounts originating from unfamiliar IP addresses prior to suspicious ID parameter activity.
Detection Strategies
- Deploy a web application firewall rule that inspects the ID parameter on /admin/?page=people for SQL keywords and quote characters.
- Enable verbose query logging on the backend database and alert on queries against the people-related tables that include UNION or stacked statements.
- Correlate admin login events with rapid sequential GET requests that vary only the ID value, which is typical of automated SQLi tooling.
Monitoring Recommendations
- Forward web server access logs and database audit logs to a central analytics platform for retroactive search.
- Baseline the normal length and character set of the ID parameter and alert on deviations.
- Monitor for sqlmap user-agent strings and known SQLi tool fingerprints against the admin interface.
How to Mitigate CVE-2025-13568
Immediate Actions Required
- Restrict network access to the /admin/ path to trusted management IP ranges via firewall or reverse-proxy ACLs.
- Rotate all administrative credentials and review the users table for unauthorized accounts.
- Audit recent web server logs for requests to /admin/?page=people containing SQL syntax in the ID parameter.
- Treat any data accessible to the application database as potentially exposed and notify affected data subjects if breach thresholds apply.
Patch Information
No vendor patch has been published for itsourcecode COVID Tracking System 1.0 at the time of disclosure. Refer to the GitHub issue tracker and the VulDB entry for any updates. Until a fix is released, organizations should consider retiring the application or applying the workarounds below.
Workarounds
- Modify the people page handler to cast ID to an integer with intval() before use in any query.
- Refactor affected queries to use PDO or mysqli prepared statements with bound parameters.
- Place the application behind a web application firewall with SQL injection signatures enabled in blocking mode.
- Disable the /admin/?page=people route if it is not required for operations.
# Example WAF rule pattern (ModSecurity) to block SQLi on the ID parameter
SecRule REQUEST_URI "@beginsWith /admin/?page=people" \
"chain,deny,status:403,id:1013568,msg:'CVE-2025-13568 SQLi attempt'"
SecRule ARGS:ID "@rx (?i)(union|select|sleep\(|--|';|/\*)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

