This vulnerability is a classic SQL injection flaw located in the file /wfh_attendance/admin/manage_employee.php of the SourceCodester Online Employees Work From Home Attendance System. By injecting malicious SQL into the input fields, an attacker can alter the query that the application sends to the database. Such manipulation could allow an attacker to read sensitive employee data, modify attendance records, delete records, or gain higher privileges within the database. The severity depends on the privileges of the exploited account, but any successful injection can compromise the confidentiality, integrity, and availability of the attendance information.

Affected systems are all installations of SourceCodester Online Employees Work From Home Attendance System version 1.0, as this is the only version documented with the flaw. No other vendor or product listings are provided in the current data.

No CVSS or EPSS scores are supplied, so the exact risk rating cannot be calculated from the data. However, given that the vulnerability is a SQL injection, the attack vector likely requires that the attacker can reach the vulnerable endpoint, and may require an authenticated session to the admin area. In the absence of a publicly available exploit, the likelihood of exploitation remains uncertain, but it is prudent to treat the flaw as high risk until it is remediated. Since it is not listed in KEV, no confirmed exploitation has been reported yet, but it could be targeted by attackers due to the ubiquitous nature of SQL injection.