CVE-2025-10459 is a SQL Injection vulnerability identified in version 1.1 of the PHPGurukul Beauty Parlour Management System. The flaw exists in the /admin/all-appointment.php file, specifically through the manipulation of the 'delid' parameter. This parameter is vulnerable to injection of malicious SQL code, allowing an attacker to interfere with the queries executed by the backend database. The vulnerability is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network accessible, no privileges required) and the potential impact on confidentiality, integrity, and availability, albeit with limited scope and impact. The vulnerability could allow attackers to read, modify, or delete data within the database, potentially leading to unauthorized data disclosure or corruption of appointment records. Although no known exploits are currently observed in the wild, the public availability of a proof-of-concept exploit increases the likelihood of exploitation attempts. The vulnerability affects only version 1.1 of the product, and no official patches have been linked or released yet. Given the nature of the product—a management system for beauty parlours—the database likely contains sensitive customer information and appointment details, making this vulnerability a significant concern for data privacy and business continuity.

For European organizations using PHPGurukul Beauty Parlour Management System 1.1, this vulnerability poses a risk of unauthorized access to sensitive customer and business data. Exploitation could lead to data breaches involving personal identifiable information (PII), appointment schedules, and possibly payment information if stored. This could result in reputational damage, regulatory penalties under GDPR due to inadequate data protection, and operational disruptions if appointment data is altered or deleted. The remote and unauthenticated nature of the exploit increases the risk of automated attacks targeting vulnerable installations. Small and medium-sized enterprises (SMEs) in the beauty and wellness sector across Europe, which may rely on this software, could face significant business impact from data loss or service interruptions. Additionally, compromised systems could be leveraged as a foothold for further network intrusion or lateral movement within an organization’s IT infrastructure.

1. Immediate mitigation should include restricting access to the /admin/all-appointment.php endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. 2. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'delid' parameter. 3. Conduct a thorough code review and implement parameterized queries or prepared statements to sanitize all user inputs, especially the 'delid' parameter, to prevent injection. 4. If possible, upgrade to a newer, patched version of the software once available or apply vendor-provided patches promptly. 5. Monitor logs for suspicious activity related to SQL errors or unusual database queries. 6. Educate administrative users on the risks and encourage strong authentication mechanisms to reduce the attack surface. 7. Regularly back up database contents to enable recovery in case of data tampering or loss. 8. Consider isolating the management system from critical internal networks to limit potential lateral movement.