The discovered flaw resides in the /admin/login.php handler of SourceCodester Online Class Record System 1.0. When an attacker supplies a specially crafted value for the user_email parameter, the application concatenates this value directly into an SQL statement without proper sanitization, creating a classic SQL injection point. Exploiting this vulnerability allows the attacker to manipulate the database query, potentially retrieving, modifying, or deleting data from the system’s tables. The severity is reflected by a CVSS score of 6.9, indicating a moderate to high risk once the injection is leveraged.

This issue affects only the original 1.0 build of the SourceCodester Online Class Record System, a PHP application marketed by SourceCodester. The vulnerability is confined to the admin login administrative interface, meaning that any deployment of version 1.0 that exposes the /admin/login.php endpoint is susceptible. No other versions or forks were listed in the data, so the scope is limited to this specific product release.

The exploit requires remote access to the web interface; an attacker can trigger it by sending a crafted HTTP request to the login page hosted on an internet‑connected server. EPSS indicates a low probability of exploitation (<1 %), however an exploit has already been published, and the vulnerability is not presently listed in the CISA KEV catalog. The attack surface is significant because the entry point is a public web page that does not enforce authentication before the injection can occur. Given the moderate CVSS rating and remote nature of the vector, organizations running the vulnerable version should treat this as a high‑priority issue pending an official patch.