A critical vulnerability has been discovered in code-projects Online Complaint Site 1.0, assigned CVE-2025-63622. This flaw allows a remote, unauthenticated attacker to manipulate a specific component of the application, potentially leading to a complete system compromise. Successful exploitation could result in the theft of sensitive data, service disruption, and unauthorized control over the affected server.

The vulnerability exists in the /cms/admin/subcategory.php file of the Online Complaint Site application. An attacker can send a specially crafted request manipulating the category argument. Due to improper input validation, this manipulation likely leads to a critical injection flaw, such as SQL Injection or Command Injection, allowing the attacker to execute arbitrary code or commands on the underlying server with the privileges of the web service.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete compromise of the web server hosting the complaint management application. The potential consequences include unauthorized access to and exfiltration of all complaint data, which may contain personally identifiable information (PII), disruption of the complaint management service, and the ability for an attacker to use the compromised server as a pivot point to attack other systems within the organization's network. This poses significant risks of data breach, reputational damage, and potential regulatory penalties.

Immediate Action: Update the affected Online Complaint Site software to the latest version provided by the vendor to patch this vulnerability. After patching, monitor for any signs of exploitation attempts by reviewing web server and application access logs for unusual activity targeting the vulnerable file.

Proactive Monitoring:

• Monitor web server access logs for any requests to /cms/admin/subcategory.php containing suspicious characters or commands within the category parameter (e.g., SQL keywords like UNION, SELECT, or shell command syntax).
• Implement network egress filtering and monitor for unexpected outbound connections from the web server, which could indicate a successful compromise.
• Monitor for the creation of unexpected files in web-accessible directories or the execution of suspicious processes by the web server user account.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the /cms/admin/subcategory.php endpoint and the category parameter.
• Restrict access to the /cms/admin/ path at the network or web server level, allowing connections only from trusted IP addresses.
• Ensure the web server process runs with the lowest possible privileges to limit the impact of a potential code execution attack.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, it is imperative that organizations take immediate action. The primary recommendation is to apply the vendor-supplied patches to all affected systems without delay. While this vulnerability is not currently on the CISA KEV list, its critical nature warrants treating it with the highest priority. If patching cannot be performed immediately, implement the recommended compensating controls, such as a WAF, to mitigate the risk until a permanent fix can be applied.