CVE-2024-44660 identifies a SQL Injection vulnerability in PHPGurukul Online Shopping Portal 2.0, specifically in the login.php page. The vulnerability arises from improper sanitization of user-supplied inputs in the fullname, emailid, and contactno parameters, which are directly incorporated into SQL queries without adequate validation or use of parameterized statements. This allows an attacker to craft malicious input that alters the intended SQL command, potentially extracting sensitive data or modifying database contents. The vulnerability requires no authentication and can be exploited remotely over the network without user interaction, increasing its risk profile. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with confidentiality and integrity impacts but no availability impact. No patches or fixes have been published yet, and no known exploits are reported in the wild. The CWE-89 classification confirms this is a classic SQL Injection issue. Given the nature of the affected parameters, attackers could retrieve user credentials, personal information, or manipulate login logic to bypass authentication or escalate privileges. The lack of authentication requirement and network accessibility make this a significant threat to any organization using this software for online shopping services.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to customer data, including personally identifiable information (PII) such as names, emails, and contact numbers. This compromises confidentiality and may violate GDPR regulations, leading to legal and financial repercussions. Integrity of the database could also be compromised, allowing attackers to alter user data or authentication records, potentially enabling fraudulent transactions or account takeovers. Although availability is not directly impacted, the reputational damage and customer trust erosion could be severe. Organizations relying on PHPGurukul Online Shopping Portal 2.0 for e-commerce operations may face operational disruptions due to incident response and remediation efforts. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly given the straightforward nature of SQL Injection attacks.

Organizations should immediately audit their PHPGurukul Online Shopping Portal 2.0 installations to identify vulnerable versions. Since no official patches are currently available, developers must implement input validation and sanitization for the fullname, emailid, and contactno parameters in login.php. Employing prepared statements with parameterized queries is critical to prevent SQL Injection. Additionally, deploying Web Application Firewalls (WAFs) with SQL Injection detection rules can provide interim protection. Regularly monitoring logs for suspicious query patterns and failed login attempts can help detect exploitation attempts early. Organizations should also review database user permissions to follow the principle of least privilege, limiting the potential damage from successful injection. Finally, preparing incident response plans for data breaches and ensuring compliance with GDPR notification requirements is essential.