CVE-2025-11330 is a SQL injection vulnerability identified in the PHPGurukul Beauty Parlour Management System version 1.1. The vulnerability resides in the /admin/sales-reports-detail.php script, specifically in the handling of the fromdate and todate parameters. These parameters are used to filter sales report data but lack proper input validation or sanitization, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without user interaction, though it requires the attacker to have low-level privileges (likely authenticated access to the admin panel). The injection can lead to unauthorized reading, modification, or deletion of database records, potentially exposing sensitive customer or business data or corrupting sales reports. The vulnerability has been publicly disclosed but no confirmed exploits are currently active in the wild. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required (though the vector states PR:L, indicating low privileges), no user interaction, and low impact on confidentiality, integrity, and availability individually but combined they are low to medium. The vulnerability affects only version 1.1 of the product, and no official patches have been linked yet. The PHPGurukul Beauty Parlour Management System is a niche product used primarily by small to medium beauty parlour businesses for managing appointments, sales, and reports. The vulnerability's exploitation could allow attackers to manipulate sales data or extract sensitive information, undermining business operations and customer trust.

For European organizations, especially small and medium enterprises in the beauty and wellness sector using PHPGurukul Beauty Parlour Management System 1.1, this vulnerability poses a risk of unauthorized data access and manipulation. Exploitation could lead to exposure of sensitive customer information, financial data, and internal sales records, potentially resulting in financial loss, reputational damage, and regulatory non-compliance under GDPR. The ability to alter sales reports could also impact business decision-making and auditing processes. Since the attack can be launched remotely and requires only low-level privileges, insider threats or compromised credentials could be leveraged to exploit this vulnerability. While the product is niche, countries with a significant number of small beauty parlours using this software are at higher risk. The medium severity rating suggests a moderate but tangible threat that should not be ignored, especially given the public disclosure and absence of patches.

1. Immediately restrict access to the /admin/sales-reports-detail.php page and the admin interface to trusted IP addresses or VPNs to reduce exposure. 2. Implement strict input validation and sanitization on the fromdate and todate parameters, preferably using parameterized queries or prepared statements to prevent SQL injection. 3. Monitor logs for unusual or suspicious SQL queries or access patterns targeting the sales reports functionality. 4. Enforce strong authentication and role-based access control to limit low-privilege accounts from accessing sensitive admin functions. 5. Backup databases regularly to ensure recovery in case of data manipulation or corruption. 6. Engage with the vendor or community to obtain or develop patches or updates addressing this vulnerability. 7. Conduct security awareness training for administrators to recognize and report suspicious activity. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting this endpoint. 9. If feasible, isolate the management system from the public internet or place it behind additional security layers.