CVE-2025-10840 is a medium-severity SQL Injection vulnerability identified in SourceCodester Pet Grooming Management Software version 1.0. The vulnerability exists in an unspecified function within the /admin/print-payment.php file, where the argument 'sql111' can be manipulated by an attacker to inject malicious SQL code. This flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the database, potentially allowing attackers to read sensitive data, modify or delete records, or disrupt service. Although the CVSS score is moderate at 5.3, the presence of publicly available exploit code increases the risk of exploitation. The vulnerability requires low attack complexity and no user interaction, but some level of privileges (PR:L) is needed, suggesting that the attacker must have limited access, possibly as a low-privileged authenticated user. The vulnerability does not affect system components beyond the database layer and does not require social engineering, making it a direct threat to the integrity of the affected software's data management. No official patches or mitigations have been published yet, increasing the urgency for organizations using this software to apply compensating controls.

For European organizations using SourceCodester Pet Grooming Management Software 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and payment data managed by the application. Pet grooming businesses often handle personal identifiable information (PII) and payment details, which if exposed or altered, could lead to regulatory non-compliance under GDPR, reputational damage, and financial losses. The ability to remotely exploit the vulnerability without user interaction means attackers can automate attacks, potentially leading to widespread data breaches or service disruptions. Given the software's niche market, the impact is concentrated on small to medium enterprises in the pet care sector, but the consequences of data leakage or manipulation could be severe, especially if payment processing or customer records are compromised. Additionally, the lack of patches and public exploit availability increases the likelihood of exploitation attempts targeting European businesses relying on this software.

European organizations should immediately audit their use of SourceCodester Pet Grooming Management Software version 1.0 and restrict access to the /admin/print-payment.php endpoint to trusted administrators only, ideally through network segmentation and IP whitelisting. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'sql111' parameter can provide a temporary protective layer. Organizations should enforce the principle of least privilege, ensuring that users with access to the admin panel have minimal necessary permissions. Monitoring and logging database queries related to payment processing can help detect anomalous activities indicative of exploitation attempts. Until an official patch is released, consider migrating to alternative software solutions or applying code-level fixes if source code access is available, such as parameterized queries or prepared statements to sanitize inputs. Regular backups of the database should be maintained to enable recovery in case of data tampering or loss.