01 · The Real Story
This is a sharp kitchen knife left in a student lab, not a crowbar that opens every datacenter door
CVE-2025-0168 is a SQL injection flaw in code-projects Job Recruitment 1.0, specifically the /_parse/_feedback_system.php endpoint where the person parameter is handled unsafely. The CVE record and public PoC both describe remote exploitation against version 1.0, and NVD maps the affected software to cpe:2.3:a:anisha:job_recruitment:1.0:*:*:*:*:*:*:*. I found no authoritative evidence of a vendor-fixed release, so for practical purposes the affected range is 1.0 with no published patch.
Vendor severity at 6.3 MEDIUM is closer to reality for enterprise prioritization than the later NVD enrichment at 7.5 HIGH. Yes, unauthenticated SQLi with public exploit code is technically dangerous, but this product is a downloadable, educational PHP/XAMPP project explicitly documented to run on localhost and on a PC for educational use. That deployment profile sharply reduces exposed population, asset criticality, and fleet-wide blast radius, which keeps this out of the urgent patch-now bucket for most enterprises.
"Real SQLi, public PoC, but mostly a niche training app with very limited enterprise exposure"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a reachable instance
An attacker first has to locate a live deployment of the Job Recruitment app and reach the vulnerable
/_parse/_feedback_system.php endpoint. In practice this means fingerprinting a small, obscure PHP project rather than a mainstream enterprise product, using generic web recon tools like httpx, nuclei, or search-engine dorks. The attack does not start until the app is actually exposed over HTTP.Conditions required:
- A Job Recruitment 1.0 instance exists
- The web app is reachable from the attacker position
- The vulnerable endpoint is not blocked upstream
Where this breaks in practice:
- The product is documented as a local XAMPP educational project, so many copies never leave localhost or lab networks
- This is not a common enterprise platform with broad internet exposure or managed patch channels
- Asset inventory often reveals zero instances in normal corporate fleets
Detection/coverage: External attack-surface management may find the host, but product-specific scanner coverage is likely spotty. Generic web discovery tools and DAST are more useful than VM plugins here.
STEP 02
Probe the person parameter
The public PoC shows a crafted GET request to
/_parse/_feedback_system.php?person=... to test for injection behavior. A commodity tool such as sqlmap or manual ', *, UNION, or time-based payloads can validate whether backend SQL is being concatenated unsafely. This is straightforward once the endpoint is reachable.Conditions required:
- Attacker can send HTTP requests to the endpoint
- The vulnerable code path is still present
- No upstream control normalizes or blocks injection payloads
Where this breaks in practice:
- A WAF or reverse proxy with SQLi signatures may block noisy payloads
- Error suppression can slow manual validation
- Some copies may sit behind internal-only routing or VPN access
Detection/coverage: Apache/nginx access logs, WAF telemetry, and IDS rules can catch obvious
sqlmap patterns. DAST should identify the issue if the scanner is allowed to crawl this path.STEP 03
Extract or manipulate database content
After confirming injection, the attacker can enumerate schema, dump tables, or alter records depending on database permissions. The likely first-order impact is disclosure of applicant data, recruiter records, and possibly hashed credentials rather than immediate host takeover. Weaponized exploitation remains standard SQLi tradecraft, not a novel exploit chain.
Conditions required:
- Injection is exploitable beyond a boolean probe
- The backing database account has useful read or write privileges
Where this breaks in practice:
- Application DB users are often limited to that single app database
- Not every educational deployment holds valuable production data
- No evidence here of direct code execution from the database flaw alone
Detection/coverage: Look for repetitive inference queries, unusual response timing, spikes in
UNION SELECT patterns, and abnormal row-count or query-volume behavior at the database layer.STEP 04
Turn stolen data into follow-on access
If the dumped data includes reusable credentials, tokens, or admin hashes, the attacker may pivot into the application or adjacent systems. That follow-on impact depends on separate weaknesses such as password reuse, weak segmentation, or over-privileged service accounts. The CVE itself does not guarantee broad enterprise compromise.
Conditions required:
- The database contains sensitive or reusable secrets
- Those secrets are valid beyond this one app
- The host sits close enough to anything worth pivoting to
Where this breaks in practice:
- Most real deployments of this app are likely low-value demos, labs, student projects, or isolated departmental tools
- Modern MFA, PAM, and network segmentation break many post-dump pivot paths
- Blast radius is usually confined to one small app and its database
Detection/coverage: Credential misuse should show up in IAM, VPN, SSO, and EDR telemetry rather than in the original web logs.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No authoritative evidence found for active exploitation campaigns. CISA KEV does not list this CVE, and I found only a public PoC reference rather than incident reporting. |
|---|---|
| Proof-of-concept availability | Yes. A public GitHub write-up by UnrealdDei includes a request example against /_parse/_feedback_system.php and was tagged by NVD as an Exploit reference. |
| EPSS | 0.00044 from the user-supplied intel. I did not independently verify the percentile from FIRST data. |
| KEV status | Not KEV-listed as of the CISA KEV catalog source reviewed. No CISA due date applies. |
| CVSS disagreement | VulDB/CNA scores it 6.3 MEDIUM with PR:L, while NVD later enriched it to 7.5 HIGH with PR:N and confidentiality-heavy impact. That disagreement is a red flag that the record quality is rough and should not be taken at face value. |
| Affected versions | code-projects Job Recruitment 1.0 / anisha job_recruitment 1.0 per NVD CPE. I found no evidence of any broader maintained version stream. |
| Fixed versions | No authoritative fixed version found. Treat this as an unmaintained source-code project unless you have an internal fork. |
| Exposure reality | The vendor page explicitly instructs users to run it on localhost with XAMPP on a PC and states it is for educational purposes only. That materially lowers expected enterprise internet exposure. |
| Disclosure date | 2025-01-01 in CVE/NVD. CISA's weekly bulletin SB25-006 later summarized it on 2025-01-06. |
| Researcher / reporting trail | The raw PoC credits researchers from Xidian University in the markdown file. The assigning CNA is VulDB, not the vendor. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to MEDIUM (5.1/10)
The decisive factor is deployment friction: this is a small downloadable training app that is usually run locally or in low-value dev/lab contexts, not a widely exposed enterprise platform. Public PoC and remote reachability keep it relevant, but the reachable population and likely blast radius are too narrow to justify a higher bucket for most 10,000-host environments.
HIGH Public PoC exists and the vulnerable endpoint/path are clearly identified
MEDIUM Real-world severity downgrade driven by deployment profile and likely exposure population
LOW Whether unauthenticated exploitation is universally valid, given CNA vs NVD scoring disagreement
Why this verdict
- Downward pressure: niche deployment — the product is documented as a localhost/XAMPP educational download, which implies a very small exposed enterprise population compared with mainstream SaaS or edge appliances
- Downward pressure: narrow blast radius — exploitation compromises one small PHP app and its database first; it does not natively hand over domain admin, hypervisor control, or an enterprise control plane
- Upward pressure: remote SQLi with public PoC — if you *do* expose it, exploitation is cheap and commodity tooling like
sqlmapis enough
Why not higher?
There is no evidence of KEV status, no trustworthy reporting of active campaigns, and no sign this software is broadly deployed in production enterprise estates. The best argument for HIGH is the technical class of bug, but the real-world reachable population is too small and too self-selecting for that to hold up at fleet scale.
Why not lower?
This is still a real SQL injection flaw with a public exploit path and likely no vendor patch. If an internet-facing copy exists, an unauthenticated attacker can probably pull data with very little effort, so dismissing it as mere noise would be sloppy.
05 · Compensating Control
What to do — in priority order.
- Pull it off the internet — If any instance is externally reachable, remove direct internet exposure now and place it behind VPN, allowlists, or an internal reverse proxy. There is no mitigation SLA for MEDIUM, but exposed copies should still be contained immediately because the PoC is public.
- Virtual-patch the endpoint — Add WAF or reverse-proxy rules to block suspicious requests to
/_parse/_feedback_system.phpand aggressively inspect thepersonparameter for SQL metacharacters and automation signatures. Use this as a stopgap while you retire, replace, or fork-fix the code within the 365-day remediation window. - Restrict database privileges — Ensure the app's DB account only has the minimum rights needed for this app and cannot access other schemas or perform admin actions. This limits post-SQLi blast radius and should be implemented during the same remediation cycle.
- Hunt for shadow IT copies — Search web roots, VM templates, developer images, and student/lab environments for
ai-recruitment-system-master,owlphin.sql, or the vulnerable PHP path. Because this is a downloadable code project, inventory failure is the main operational risk, not patch orchestration.
What doesn't work
- Relying on EDR alone doesn't solve the initial issue, because the first impact is database abuse over normal HTTP rather than malware execution on the host
- Credential rotation by itself is incomplete, because the flaw is an input-handling bug and can still leak fresh data after password changes
- Generic monthly patching doesn't help when there is no authoritative vendor-fixed version to deploy
06 · Verification
Crowdsourced verification payload.
Run this on the target host or on a mounted webroot checkout of the application source. Invoke it as python3 check_cve_2025_0168.py /var/www/html/ai-recruitment-system-master or python check_cve_2025_0168.py C:\xampp\htdocs\ai-recruitment-system-master; no admin rights are required for a readable source tree.
#!/usr/bin/env python3
# check_cve_2025_0168.py
# Detect likely vulnerable Job Recruitment 1.0 source for CVE-2025-0168.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE
import os
import re
import sys
TARGET_REL = os.path.join('_parse', '_feedback_system.php')
VULN_PARAM_PATTERNS = [
r"\$_GET\s*\[\s*['\"]person['\"]\s*\]",
r"\$_REQUEST\s*\[\s*['\"]person['\"]\s*\]",
r"\$_POST\s*\[\s*['\"]person['\"]\s*\]",
]
PREPARED_PATTERNS = [
r"->prepare\s*\(",
r"mysqli_prepare\s*\(",
r"bind_param\s*\(",
r"PDO\s*::\s*prepare\s*\(",
]
SQLISH = [
r"select\s+",
r"insert\s+into\s+",
r"update\s+",
r"delete\s+from\s+",
]
CONCAT_PATTERNS = [
r"\.\s*\$person",
r"\$person\s*\.",
r'"\s*\.\s*\$person\s*\.\s*"',
r"'\s*\.\s*\$person\s*\.\s*'",
]
def read_file(path):
try:
with open(path, 'r', encoding='utf-8', errors='ignore') as f:
return f.read()
except Exception:
return None
def exists_file(root):
candidate = os.path.join(root, TARGET_REL)
if os.path.isfile(candidate):
return candidate
return None
def has_any(patterns, text, flags=re.IGNORECASE | re.MULTILINE):
return any(re.search(p, text, flags) for p in patterns)
def main():
if len(sys.argv) != 2:
print('UNKNOWN')
print('Usage: python3 check_cve_2025_0168.py <app_root>')
sys.exit(3)
root = sys.argv[1]
php_file = exists_file(root)
if not php_file:
print('UNKNOWN')
print(f'Missing expected file: {os.path.join(root, TARGET_REL)}')
sys.exit(2)
content = read_file(php_file)
if content is None:
print('UNKNOWN')
print(f'Unable to read: {php_file}')
sys.exit(2)
normalized = content.lower()
references_person = has_any(VULN_PARAM_PATTERNS, content)
looks_prepared = has_any(PREPARED_PATTERNS, content)
looks_sql = has_any(SQLISH, normalized)
concatenates_person = has_any(CONCAT_PATTERNS, content)
if references_person and looks_prepared and not concatenates_person:
print('PATCHED')
print(f'Prepared-statement pattern detected in {php_file}')
sys.exit(0)
if references_person and looks_sql and concatenates_person:
print('VULNERABLE')
print(f'Likely unsafely concatenated person parameter in {php_file}')
sys.exit(1)
if references_person and looks_sql and not looks_prepared:
print('VULNERABLE')
print(f'SQL handling found without clear prepared-statement usage in {php_file}')
sys.exit(1)
print('UNKNOWN')
print(f'File present but signature inconclusive: {php_file}')
sys.exit(2)
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: first determine whether you actually have any copies of this app outside dev/lab or student environments. If you find an exposed instance, remove internet access or virtual-patch it right away because the PoC is public; otherwise this is MEDIUM and there is no noisgate mitigation SLA — go straight to the 365-day remediation window. Since I found no vendor-fixed version, use the noisgate remediation SLA as a deadline to either retire the app, replace it, or apply an internal code fix within 365 days.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.