CVE-2026-14778
SourceCodester · Onlne Examination & Learning Management System
An improper authorization vulnerability in the SourceCodester Onlne Examination & Learning Management System allows unauthenticated attackers to manipulate enrollment data via ajax_enroll.php.
Executive summary
A critical authorization bypass vulnerability in the SourceCodester Onlne Examination & Learning Management System exposes student enrollment data to unauthorized manipulation.
Vulnerability
The vulnerability exists within the /ajax_enroll.php file, where improper authorization allows an unauthenticated attacker to manipulate student_id, schedule_id, or action arguments. This flaw permits unauthorized modification of enrollment records within the system.
Business impact
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive academic records and the corruption of enrollment data. With a CVSS score of 7.3, this high-severity flaw poses a significant risk to data integrity and administrative control, potentially resulting in operational disruption and loss of trust in the learning management platform.
Remediation
Immediate Action: Contact the vendor immediately for security patches. If no patch is available, restrict access to the /ajax_enroll.php file to authorized internal networks only.
Proactive Monitoring: Review web server access logs for anomalous requests targeting /ajax_enroll.php or unusual patterns in student_id and schedule_id parameters.
Compensating Controls: Deploy a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious input within the specified arguments of the enrollment module.
Exploitation status
Public Exploit Available: True
Analyst recommendation
Given the availability of public exploit code and the ease of access for unauthenticated attackers, organizations utilizing this software must prioritize remediation. Until a formal vendor patch is applied, strict access controls and WAF filtering should be implemented to mitigate the risk of unauthorized data manipulation.