The vulnerability resides in the edit_admin.php script of Society Management System 1.0, where the admin_id parameter is insufficiently sanitized, allowing an attacker to inject arbitrary SQL through a GET or POST request. This flaw can lead to data tampering, disclosure, or potential privilege escalation if the database user has elevated rights. The weakness is a classic injection flaw classified as CWE-74 and CWE-89. The vulnerability is exploitable without authentication and can be executed over a network to compromise the integrity and confidentiality of the system’s data.

The affected software is Society Management System version 1.0, produced by itsourcecode. No additional versions are listed as affected, and the vulnerability description states that the issue exists in unknown code of the file /admin/edit_admin.php. The CPE indicates the product name as society_management_system with version 1.0.

The CVSS score of 6.9 places the flaw in the medium severity range, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting that it has not been widely observed in attacks yet. Nevertheless, because the attack can be performed from the public internet via the admin_id argument, an adversary can trigger the injection by sending a crafted request to the edit_admin.php endpoint. The lack of authentication requirements and the publicly disclosed exploit code increase the risk that the flaw could be leveraged by threat actors.