Skip to main content
CVE Vulnerability Database

CVE-2025-7555: Fabian Voting System SQL Injection Flaw

CVE-2025-7555 is a critical SQL injection vulnerability in Fabian Voting System 1.0 affecting the /admin/voters_add.php file. Attackers can exploit firstname/lastname parameters remotely to inject malicious SQL.

Published:

CVE-2025-7555 Overview

CVE-2025-7555 is a SQL injection vulnerability in code-projects Voting System 1.0. The flaw resides in the /admin/voters_add.php script, where the firstname and lastname parameters are passed to a database query without proper sanitization. An authenticated remote attacker with low privileges can manipulate these parameters to inject arbitrary SQL statements. The exploit has been disclosed publicly, increasing the likelihood of opportunistic abuse against exposed installations. The vulnerability is tracked under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component.

Critical Impact

Authenticated attackers can inject SQL through the voter registration form, enabling unauthorized read or modification of the voter database backing the application.

Affected Products

  • code-projects Voting System 1.0
  • Fabian Voting System (cpe:2.3:a:fabian:voting_system:1.0)
  • The /admin/voters_add.php administrative endpoint

Discovery Timeline

  • 2025-07-14 - CVE-2025-7555 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-7555

Vulnerability Analysis

The vulnerability exists in the administrator-facing voter registration workflow of code-projects Voting System 1.0. When an administrator submits the voter creation form, the application forwards the firstname and lastname POST parameters directly into an SQL INSERT statement. Because the parameters are concatenated into the query string rather than bound as parameters, a payload containing SQL metacharacters alters the query structure.

The attack requires valid administrator session credentials but no user interaction. Once exploited, the attacker can read arbitrary tables, including credential hashes and voter records, or modify ballot data. The EPSS probability for this CVE is 0.197% at the 41.65 percentile.

Root Cause

The root cause is the absence of input validation and parameterized queries in voters_add.php. The application trusts client-supplied form fields and inserts them into SQL statements verbatim. This is a classic instance of [CWE-74] input neutralization failure applied to a SQL backend.

Attack Vector

The attack vector is network-based and requires low-privilege authentication. An attacker with administrator access submits a crafted POST request to /admin/voters_add.php containing SQL syntax in the firstname or lastname field. The injected payload executes within the context of the database user configured for the application, typically with full privileges over the voting database schema. Public proof-of-concept material referenced in the GitHub issue and VulDB entry demonstrates exploitation.

No verified exploit code is published in a vetted repository. Refer to the linked references for technical details on the injection payload structure.

Detection Methods for CVE-2025-7555

Indicators of Compromise

  • HTTP POST requests to /admin/voters_add.php containing SQL metacharacters such as single quotes, UNION SELECT, --, /*, or OR 1=1 in the firstname or lastname parameters
  • Unexpected new rows in administrative or voter tables that do not correspond to legitimate registration activity
  • Database error messages in web server logs referencing syntax errors originating from voters_add.php

Detection Strategies

  • Inspect web server access logs for anomalous request bodies submitted to /admin/voters_add.php, particularly those containing URL-encoded SQL keywords
  • Deploy a web application firewall ruleset that flags SQL injection signatures targeting voter management endpoints
  • Enable MySQL general query logging during incident response to correlate injected queries with the originating HTTP session

Monitoring Recommendations

  • Alert on administrator account logins originating from previously unseen IP addresses or geolocations
  • Monitor the application database for INFORMATION_SCHEMA queries that do not originate from administrative tooling
  • Track outbound network connections from the database host that could indicate data exfiltration following exploitation

How to Mitigate CVE-2025-7555

Immediate Actions Required

  • Restrict access to the /admin/ directory using network ACLs or HTTP basic authentication until a code fix is applied
  • Rotate all administrator credentials and review existing admin accounts for unauthorized additions
  • Audit the voter database for unauthorized inserts, updates, or deletes against the voter and credential tables

Patch Information

No official vendor patch has been published at the time of writing. The vendor reference page is available at code-projects.org. Affected operators should treat the application as end-of-life unless the maintainer issues a corrected release that introduces parameterized queries in voters_add.php.

Workarounds

  • Replace direct string concatenation in voters_add.php with prepared statements using PDO or mysqli parameter binding
  • Apply server-side input validation that rejects non-alphabetic characters in firstname and lastname fields
  • Place the application behind a web application firewall configured with OWASP Core Rule Set SQL injection signatures
  • Run the application database user with the minimum privileges required, removing FILE, CREATE, and DROP rights where possible
bash
# Example ModSecurity rule to block SQL metacharacters in voter fields
SecRule REQUEST_URI "@beginsWith /admin/voters_add.php" \
  "id:1007555,phase:2,deny,status:403,log,\
   chain,msg:'Potential SQLi in voters_add.php'"
  SecRule ARGS:firstname|ARGS:lastname "@rx [\"'();]|--|/\*|union\s+select" \
    "t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.