CVE-2025-15244
Unknown Unknown - Not Provided
Race Condition in PHPEMS Purchase Request Handler, Remote Exploit

Publication date: 2025-12-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15244
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpems php_exam_management_system 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15244 is a race condition vulnerability in PHPEMS version 11.0 and earlier, specifically in the points consumption function of the Purchase Request Handler. The flaw allows an attacker with a valid points account to send multiple concurrent purchase requests, exploiting the lack of synchronization and atomicity checks. This enables the attacker to purchase the same points-consuming course multiple times while only deducting points once or partially, effectively bypassing the intended points deduction mechanism. This leads to unauthorized accumulation of virtual assets or paid courses without proper payment. [1, 2, 3]

Impact Analysis

This vulnerability can lead to unauthorized access to paid courses or virtual assets by exploiting the race condition to bypass points deduction. If the points system is linked to real currency or requires payment, it can cause direct financial losses to the platform operator. Additionally, it damages platform fairness and user trust by allowing some users to gain unfair advantages. The vulnerability can be exploited remotely and publicly, increasing the risk of abuse. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for multiple concurrent purchase requests from the same user account attempting to consume points simultaneously. Using tools like Burp Suite Turbo Intruder with a race condition script can reproduce the attack by sending multiple concurrent purchase requests. Detection involves capturing and analyzing HTTP purchase requests for concurrency and repeated point deductions without corresponding balance changes. Specific commands are not provided, but using Burp Suite to intercept and replay requests concurrently is suggested. [1, 2]

Mitigation Strategies

Immediate mitigation steps include implementing database row-level locking (e.g., MySQL FOR UPDATE) during points deduction to serialize concurrent requests, adding real-time validation of points balance before each deduction to reject insufficient requests, introducing transaction logging with unique IDs to verify consistency, and limiting the frequency of concurrent points-consuming requests per account within a defined time window to prevent abuse. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart