High severity7.3NVD Advisory· Published Nov 20, 2025· Updated Apr 29, 2026

CVE-2025-13422

Description

A vulnerability was detected in freeprojectscodes Sports Club Management System 1.0. The affected element is an unknown function of the file /dashboard/admin/change_s_pwd.php. Performing manipulation of the argument login_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Sports Club Management System 1.0 via the login_id parameter in change_s_pwd.php allows unauthenticated remote attackers to execute arbitrary SQL queries.

Vulnerability

Analysis

A SQL injection vulnerability exists in the /dashboard/admin/change_s_pwd.php file of the Sports Club Management System version 1.0. The root cause is that the login_id parameter is directly incorporated into SQL queries without proper sanitization or validation, allowing attackers to inject malicious SQL code [1].

Exploitation

The attack can be initiated remotely without requiring authentication. An attacker can send a crafted POST request to the vulnerable endpoint, manipulating the login_id parameter to inject SQL commands. Public proof-of-concept code is available, demonstrating exploitation via boolean-based blind SQL injection techniques [1].

Impact

Successful exploitation enables attackers to achieve unauthorized database access, retrieve sensitive data, modify or delete records, and potentially gain comprehensive control over the system. This poses a serious threat to data integrity and system availability [1].

Mitigation

As of the publication date, no official patch has been released. The vendor has not provided a fixed version. Users should apply input validation and parameterized queries as a workaround, or consider migrating to an alternative solution if the product remains unmaintained [1].

References

freeprojectscodes Sports Club Management System Project V1.0 /dashboard/admin/change_s_pwd.php SQL injection

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Darkseid/Sports Club Management System2 versions
cpe:2.3:a:darkseid:sports_club_management_system:1.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:darkseid:sports_club_management_system:1.0:*:*:*:*:*:*:*
- (no CPE)range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/f14g-orz/CVE/issues/10nvdExploitThird Party Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-13422