CVE-2025-10403 is a SQL Injection vulnerability identified in version 1.1 of the PHPGurukul Beauty Parlour Management System, specifically within the /admin/view-enquiry.php file. The vulnerability arises due to improper sanitization or validation of the 'viewid' parameter, which is directly used in SQL queries. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database query. Exploiting this vulnerability can lead to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 score of 6.9 (medium severity) reflects the moderate impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction needed. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability affects a niche product used primarily in beauty parlour management, which may limit the attack surface but still poses a significant risk to organizations relying on this software for customer and business data management.

For European organizations using PHPGurukul Beauty Parlour Management System 1.1, this vulnerability could lead to unauthorized access to sensitive customer data, including personal information and appointment details. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could manipulate or delete data, disrupting business operations and causing financial losses. Since the vulnerability allows remote exploitation without authentication, attackers could target multiple installations across Europe, potentially impacting small to medium enterprises in the beauty and wellness sector. The breach of customer trust and potential regulatory fines could have long-term negative effects on affected businesses.

Organizations should immediately audit their use of PHPGurukul Beauty Parlour Management System 1.1 and restrict access to the /admin/view-enquiry.php endpoint, ideally limiting it to trusted IP addresses or VPN users. Since no official patch is currently available, applying web application firewall (WAF) rules to detect and block SQL injection patterns in the 'viewid' parameter is critical. Input validation and parameterized queries should be implemented by developers to sanitize inputs properly. If possible, upgrade to a newer, patched version of the software once released by the vendor. Regularly monitor logs for suspicious activity targeting the vulnerable endpoint. Additionally, conduct security awareness training for administrators to recognize signs of exploitation attempts and ensure backups are maintained to recover from potential data tampering.