The vulnerability is a classic SQL injection that occurs when the ’ID’ parameter in the administrator view of the Online Music Site is not properly sanitized. Attackers can inject arbitrary SQL code via this parameter, allowing data extraction, modification, or potentially full database compromise. The flaw is exploitable remotely through HTTP requests, and the published proof‑of‑concept demonstrates that an attacker can gain unauthenticated read/write access to the underlying database. It falls under CWE‑74 and CWE‑89.

code‑projects Online Music Site 1.0 is affected. The issue is found in the Administration folder, specifically /Administrator/PHP/AdminViewSongs.php. All deployments running this version without a patch are vulnerable, and the attack surface exists wherever the ID parameter is exposed to users with administrative trust.

The CVSS base score of 6.9 indicates moderate severity; the EPSS probability is below 1%, suggesting that widescale exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only remote delivery of a crafted URL or form submission and does not need local privileges. Attackers could cause data loss, confidentiality breach, or unauthorized modification of the music library. The published exploitation code indicates that this issue is known and could be leveraged by actors with minimal skill.