CVE-2025-10663 is a SQL Injection vulnerability identified in version 3.1 of the PHPGurukul Online Course Registration system, specifically within the /my-profile.php file. The vulnerability arises from improper sanitization or validation of the 'cgpa' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without any user interaction or privileges. The vulnerability is classified with a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low attack complexity, no required privileges or user interaction, and limited impact on confidentiality, integrity, and availability. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially leading to data leakage, unauthorized data modification, or disruption of service. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability affects only version 3.1 of the product, and no official patches or mitigation guidance have been published by the vendor at this time.

For European organizations using PHPGurukul Online Course Registration version 3.1, this vulnerability poses a significant risk to the confidentiality and integrity of student and course-related data. Educational institutions and training providers could face unauthorized disclosure of personal information, academic records, and enrollment details. Data tampering could undermine the trustworthiness of academic records and disrupt administrative processes. Additionally, successful exploitation could lead to denial of service or further compromise of the underlying infrastructure if attackers leverage the database access for lateral movement. Given the remote, unauthenticated nature of the attack, the threat surface is broad, and organizations lacking timely mitigation are vulnerable to automated scanning and exploitation attempts. The reputational damage and potential regulatory consequences under GDPR for data breaches further amplify the impact on European entities.

Organizations should immediately assess their deployment of PHPGurukul Online Course Registration and identify any instances running version 3.1. As no official patch is currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'cgpa' parameter, focusing on common SQL injection patterns. 2) Employ input validation and sanitization at the application or proxy level to restrict 'cgpa' parameter inputs to expected numeric or formatted values. 3) Restrict database user permissions to the minimum necessary, avoiding use of highly privileged accounts by the web application to limit potential damage. 4) Monitor database logs and web server logs for unusual queries or error messages indicative of injection attempts. 5) Plan and prioritize upgrading or patching the PHPGurukul Online Course Registration system once vendor updates become available. 6) Conduct security awareness and incident response readiness for potential exploitation scenarios. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter and the operational context of the affected product.