CVE-2025-50868

CVE-2025-50868 describes a SQL injection vulnerability in the takeassessment2.php file of CloudClassroom-PHP-Project 1.0. The root cause is the lack of proper sanitization of the Q4 POST parameter before its use in database queries [1]. The application fails to validate or escape user input, enabling an attacker to inject arbitrary SQL commands.

The vulnerability is exploitable via a crafted POST request to the vulnerable endpoint, requiring no prior authentication. The attacker must be able to send HTTP requests to the server. The provided payload 5550'XOR(555*if(now()=sysdate(),sleep(6),0))XOR'Z triggers a time delay of 6 seconds when the injection is successful, confirming a time-based blind SQL injection [1]. This technique allows data extraction by observing response times.

Successful exploitation can lead to unauthorized access to, or modification of, the underlying database. An attacker may extract sensitive information such as user credentials, personal data, or other application secrets. The CVSS v3 base score of 6.5 (Medium) reflects the potential for significant information disclosure, though exploitation is not trivial.

As of the publication date, no official patch has been announced for CloudClassroom-PHP-Project 1.0. The vendor should implement parameterized queries or input validation for the Q4 parameter. Users are advised to restrict network access to the application or apply web application firewall rules to mitigate the risk until a fix is available.