The vulnerability is a SQL injection flaw located in the file /wfh_attendance/admin/manage_employee.php of SourceCodester Online Employees Work From Home Attendance System version 1.0. An attacker who can send crafted input to this endpoint could cause the application to execute arbitrary SQL commands. The result is unauthorized access to or modification of the underlying database, allowing an attacker to read, alter, or delete attendance and employee data. This weakness is a classic example of CWE‑89, a data input flaw that can expose confidential information.

The affected product is the SourceCodester Online Employees Work From Home Attendance System, version 1.0. Because the vendor is not listed, no specific vendor name is provided, but the system runs under the SourceCodester project. Users running this version with the vulnerable /wfh_attendance/admin/manage_employee.php file are potentially exposed.

The CVSS score for this flaw is 2.7, indicating low overall risk. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting it is not currently a high‑profile target. The likely attack vector is remote via the web interface, as inferred from the endpoint location, and would require the attacker to access the vulnerable admin endpoint. In the absence of an official patch, the risk remains low, but the flaw can still be exploited if the system is publicly reachable.