CVE-2025-10603 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Online Discussion Forum software. The vulnerability exists in the /admin/admin_forum/search_result.php file, specifically in the handling of the 'Search' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code into the backend database queries. This type of injection allows unauthorized access to or modification of the database, potentially leading to data leakage, data corruption, or unauthorized administrative actions. The vulnerability does not require authentication or user interaction, making it exploitable by any remote attacker with network access to the affected application. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector showing network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of available patches or mitigations from the vendor at this time further elevates the threat to users of this software version.

For European organizations using PHPGurukul Online Discussion Forum version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their discussion forum data. Exploitation could lead to unauthorized data access, including sensitive user information or internal communications, which may result in privacy violations under GDPR. Additionally, attackers could manipulate forum content or escalate privileges, potentially disrupting organizational communication channels. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially if the forum is publicly accessible. This could lead to reputational damage, regulatory penalties, and operational disruptions. Organizations relying on this forum for critical internal or customer-facing communication should consider the risk of data breaches and service interruptions.

Given the absence of official patches, European organizations should immediately implement compensating controls. These include restricting access to the /admin/admin_forum/search_result.php endpoint via network-level controls such as IP whitelisting or VPN access to limit exposure. Web Application Firewalls (WAFs) should be configured with custom rules to detect and block SQL injection patterns targeting the 'Search' parameter. Input validation and sanitization should be enforced at the application level if source code access is available, employing parameterized queries or prepared statements to prevent injection. Regular monitoring of logs for suspicious query patterns and unusual database activity is critical. Organizations should also plan to upgrade to a patched or newer version of the software once available or consider migrating to alternative forum solutions with active security support. Conducting penetration testing focused on SQL injection vectors can help validate the effectiveness of mitigations.