CVE-2025-11505 identifies a SQL injection vulnerability in the PHPGurukul Beauty Parlour Management System version 1.1. The vulnerability is located in the /admin/new-appointment.php script, where the delid parameter is improperly sanitized, allowing an attacker to inject malicious SQL queries. This injection flaw can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers. The vulnerability can lead to unauthorized data access, modification, or deletion within the backend database, compromising confidentiality, integrity, and potentially availability of the system. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the ease of exploitation (network accessible, no privileges required) but limited scope and impact due to the niche application. No official patches have been released yet, and while no active exploitation has been observed, public exploit code availability increases the risk. The vulnerability primarily affects installations of version 1.1 of this specific management system, which is typically deployed in small to medium beauty parlour businesses. The lack of authentication requirement and remote exploitability make this a significant risk for affected organizations.

The primary impact of this vulnerability is unauthorized access to the backend database of the affected management system. Attackers could extract sensitive customer data, appointment details, or internal business information, leading to confidentiality breaches. Additionally, attackers might alter or delete records, impacting data integrity and disrupting business operations. For organizations relying on this system, such data compromise could result in reputational damage, regulatory penalties (especially if personal data is involved), and financial losses. Since the vulnerability allows remote exploitation without authentication, attackers can launch automated attacks at scale, increasing the risk of widespread compromise among users of this software. However, the overall impact is somewhat limited by the niche nature of the product and its deployment primarily in small businesses, which may have less critical data but also fewer resources for incident response.

Organizations using PHPGurukul Beauty Parlour Management System version 1.1 should immediately review and restrict access to the /admin/new-appointment.php endpoint, ideally limiting it to trusted IP addresses or internal networks. Implementing a web application firewall (WAF) with SQL injection detection and prevention rules can help block exploit attempts. Until an official patch is released, administrators should audit and sanitize all input parameters, especially delid, to prevent injection. Employing parameterized queries or prepared statements in the application code is a best practice to eliminate injection risks. Regularly monitoring logs for suspicious activity related to the delid parameter is recommended. Additionally, organizations should consider isolating the management system from the internet or placing it behind VPN access to reduce exposure. Finally, backing up databases frequently and securely will aid in recovery if an attack occurs.