CVE-2025-9663 Overview
CVE-2025-9663 is a SQL injection vulnerability in code-projects Simple Grading System 1.0. The flaw resides in the /edit_account.php script within the Admin Panel component. Attackers manipulate the ID parameter to inject arbitrary SQL statements into the backend database query.
The vulnerability is exploitable remotely over the network and requires low-level privileges. Public exploit details have been disclosed through VulDB, increasing the likelihood of opportunistic abuse against exposed installations. The issue is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Authenticated attackers can inject SQL through the ID parameter in /edit_account.php to read, modify, or delete administrative account data in the Simple Grading System database.
Affected Products
- Fabian Simple Grading System 1.0
- Component: Admin Panel (/edit_account.php)
- Affected CPE: cpe:2.3:a:fabian:simple_grading_system:1.0
Discovery Timeline
- 2025-08-29 - CVE-2025-9663 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-9663
Vulnerability Analysis
The Simple Grading System Admin Panel exposes an account editing endpoint at /edit_account.php. This endpoint accepts an ID parameter that is passed directly into a SQL query without parameterization or sanitization. An attacker supplies crafted input that breaks out of the intended query context.
Because the application is written in PHP with direct MySQL query construction, the injected payload executes as part of the original statement. The attacker can perform UNION-based extraction, boolean-based blind enumeration, or time-based blind queries depending on response handling. Successful injection compromises the confidentiality and integrity of all rows accessible to the database user, including administrator credentials.
Root Cause
The root cause is improper neutralization of user-supplied input embedded in a SQL statement. The ID parameter is concatenated into the query string rather than bound through a prepared statement. No type casting, allowlist validation, or escaping is applied before the value reaches the database driver.
Attack Vector
Exploitation requires network access to the Admin Panel and a low-privilege authenticated session. The attacker issues an HTTP request to /edit_account.php with a malicious ID value such as 1' OR '1'='1 or a UNION SELECT payload. The vulnerable query executes the attacker-controlled SQL alongside legitimate logic.
No verified proof-of-concept code is republished here. Technical analysis is available through the VulDB entry 321870 and the Yuque analysis document referenced by the disclosure.
Detection Methods for CVE-2025-9663
Indicators of Compromise
- HTTP requests to /edit_account.php containing SQL metacharacters such as single quotes, --, UNION, SELECT, or SLEEP( in the ID parameter.
- Web server access logs showing unusually long ID values or URL-encoded SQL keywords (%27, %20OR%20, %20UNION%20).
- Database error messages or stack traces returned in HTTP responses from the Admin Panel.
- Unexpected reads or writes against the users or administrator tables originating from the web application database account.
Detection Strategies
- Deploy web application firewall signatures that flag SQL injection patterns on the /edit_account.php endpoint and the ID parameter specifically.
- Enable verbose query logging on the MySQL backend and alert on queries against the account table that contain OR 1=1, UNION SELECT, or sleep functions.
- Correlate authenticated session activity in the Admin Panel against anomalous query volume to identify automated exploitation attempts.
Monitoring Recommendations
- Forward web server and database logs to a centralized analytics platform for retroactive hunting on the ID parameter.
- Monitor outbound connections from the application host for signs of data exfiltration following suspicious admin panel activity.
- Alert on creation, modification, or deletion of administrator accounts that does not match an approved change window.
How to Mitigate CVE-2025-9663
Immediate Actions Required
- Restrict access to the Admin Panel using IP allowlisting, VPN, or network-layer controls until the application is patched.
- Audit administrator accounts in the Simple Grading System database for unexpected entries or modified credentials.
- Rotate all admin and database credentials and review session tokens after confirming the application is not compromised.
Patch Information
No vendor advisory or official patch has been published for Simple Grading System 1.0 at the time of writing. Refer to the code-projects.org project page for any subsequent releases. Organizations using this codebase should consider replacing it with maintained software or applying source-level fixes.
Workarounds
- Modify /edit_account.php to use parameterized queries via PDO or mysqli prepared statements instead of concatenating the ID value.
- Cast the ID parameter to an integer with intval($_GET['ID']) or (int)$_GET['ID'] before it reaches any SQL statement.
- Deploy a web application firewall rule that rejects requests to /edit_account.php containing SQL metacharacters in the ID parameter.
- Run the application database account with the minimum privileges required, removing DROP, ALTER, and cross-database SELECT rights.
# Example ModSecurity rule fragment to block SQLi against the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /edit_account.php" \
"id:1009663,phase:2,deny,status:403,log,\
msg:'CVE-2025-9663 SQLi attempt on Simple Grading System',\
chain"
SecRule ARGS:ID "@rx (?i)(union(.*)select|or\s+1=1|sleep\(|--|';)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

