CVE-2025-1210
Published: 12 February 2025
Summary
CVE-2025-1210 is a medium-severity Injection (CWE-74) vulnerability in Anisha Wazifa System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user inputs, directly preventing SQL injection exploitation by rejecting or sanitizing manipulated arguments to /controllers/control.php.
SI-2 mandates timely flaw remediation, including patching the SQL injection vulnerability in Wazifa System 1.0 to eliminate the root cause.
RA-5 provides vulnerability scanning and monitoring to detect SQL injection flaws like CVE-2025-1210 and prioritize their remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in web application (/controllers/control.php) enables remote exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006).
NVD Description
A vulnerability classified as critical was found in code-projects Wazifa System 1.0. Affected by this vulnerability is an unknown functionality of the file /controllers/control.php. The manipulation of the argument to leads to sql injection. The attack can be launched remotely.…
more
The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1210 is a SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Wazifa System 1.0. The issue resides in an unknown functionality within the file /controllers/control.php, where manipulation of an argument enables SQL injection. Published on 2025-02-12, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), though described as critical in advisories.
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption within the application's database.
Advisories from VulDB (ctiid.295147, id.295147, submit.497357) document the issue, with additional details at code-projects.org and a GitHub proof-of-concept at github.com/nanguawuming/CVE2/blob/main/cve3.pdf. No specific patches or mitigations are detailed in the available information.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)