CVE-2025-9667 Overview
CVE-2025-9667 is a SQL injection vulnerability in code-projects Simple Grading System 1.0. The flaw resides in the /delete_account.php script within the Admin Panel component. An attacker can manipulate the ID parameter to inject arbitrary SQL statements against the backend database. The attack can be initiated remotely and requires only low-level privileges. According to public reporting, an exploit for this vulnerability is publicly available.
The vulnerability is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command) and [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Authenticated remote attackers can inject SQL statements through the ID parameter of /delete_account.php, potentially exposing or modifying records in the grading system database.
Affected Products
- Fabian Simple Grading System 1.0
- Component: Admin Panel (/delete_account.php)
- CPE: cpe:2.3:a:fabian:simple_grading_system:1.0:*:*:*:*:*:*:*
Discovery Timeline
- 2025-08-29 - CVE-2025-9667 published to the National Vulnerability Database
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-9667
Vulnerability Analysis
The vulnerability exists in the account deletion workflow of the Admin Panel. When an administrator submits a request to /delete_account.php, the application passes the ID parameter directly into a SQL query without proper sanitization or parameterization. An attacker with access to the Admin Panel can supply crafted input that alters the query structure.
Because the injection occurs in a DELETE-context query, an attacker can extract data through error-based or time-based blind techniques, or modify the WHERE clause to delete unintended records. The exploit is reported as public, lowering the technical barrier for adversaries to reproduce the attack.
Root Cause
The root cause is the absence of prepared statements or input validation on the ID parameter inside /delete_account.php. User-controlled input is concatenated into a SQL string and executed against the database, which violates secure coding standards for parameterized queries.
Attack Vector
The attack vector is network-based and requires low-privileged authentication to the Admin Panel. The attacker sends a crafted HTTP request to /delete_account.php with a malicious ID value. No user interaction is needed beyond the attacker's own request. See the VulDB advisory #321874 for additional technical context.
No verified proof-of-concept code is reproduced here. Refer to the VulDB submission record and Yuque Documentation for additional details.
Detection Methods for CVE-2025-9667
Indicators of Compromise
- HTTP requests to /delete_account.php containing SQL metacharacters such as single quotes, UNION, SLEEP, --, or ; in the ID parameter.
- Unexpected DELETE operations or row count anomalies in the grading system database tables.
- Web server access logs showing repeated requests to /delete_account.php from a single source within a short time window.
Detection Strategies
- Deploy a web application firewall (WAF) rule that inspects the ID parameter for SQL injection signatures.
- Enable database query logging and alert on unexpected query structures originating from the Simple Grading System application user.
- Correlate authentication events with administrative actions to flag anomalous account deletion patterns.
Monitoring Recommendations
- Monitor PHP error logs for SQL syntax errors referencing delete_account.php.
- Track outbound responses from the application containing database error strings such as SQL syntax or mysql_fetch.
- Baseline normal admin activity to detect deviations in deletion frequency or timing.
How to Mitigate CVE-2025-9667
Immediate Actions Required
- Restrict network access to the Admin Panel using IP allow-listing or VPN-only access until a patch is available.
- Audit existing administrator accounts and rotate credentials to limit unauthorized access paths.
- Review database logs for evidence of prior exploitation against /delete_account.php.
Patch Information
At the time of publication, no vendor patch is referenced in the code-projects advisory listing. Operators should monitor the project source for updated releases and apply security fixes when published.
Workarounds
- Modify /delete_account.php to use parameterized queries or prepared statements with bound variables for the ID parameter.
- Apply server-side input validation that enforces a strict integer type on the ID value before it reaches the database layer.
- Place the application behind a WAF with signatures tuned to block SQL injection payloads targeting administrative endpoints.
- Reduce database account privileges so the application user cannot execute destructive operations outside of expected tables.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

