CVE-2025-11506 identifies a SQL Injection vulnerability in PHPGurukul Beauty Parlour Management System version 1.1, specifically in the /admin/search-appointment.php script. The vulnerability arises from improper sanitization of the 'searchdata' parameter, which is directly used in SQL queries without adequate validation or parameterization. This allows remote attackers to inject arbitrary SQL commands, potentially extracting sensitive information, modifying database contents, or disrupting service availability. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and moderate impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit is available, increasing the likelihood of attacks. The affected product is niche software used primarily in beauty parlour management, which may limit the scope but still poses significant risks to organizations relying on this system for appointment scheduling and customer data management. The lack of official patches at the time of disclosure necessitates immediate mitigation through alternative controls.

The impact of this vulnerability includes unauthorized access to sensitive customer and business data stored in the backend database, such as appointment details, personal information, and possibly payment data if stored. Attackers could manipulate or delete records, leading to data integrity issues and operational disruption. The availability of the system could be affected if attackers execute commands that cause database crashes or lockouts. Since the vulnerability is remotely exploitable without authentication, attackers can launch attacks at scale, potentially affecting multiple organizations using this software. This could lead to reputational damage, regulatory penalties for data breaches, and financial losses. The niche nature of the software limits the global scale but does not diminish the severity for affected entities, especially small to medium businesses in the beauty and wellness sector that rely heavily on this system for daily operations.

1. Monitor for official patches or updates from PHPGurukul and apply them immediately once available. 2. Until patches are released, implement strict input validation and sanitization on the 'searchdata' parameter, preferably using prepared statements or parameterized queries to prevent SQL injection. 3. Deploy a Web Application Firewall (WAF) configured to detect and block SQL injection payloads targeting the vulnerable endpoint. 4. Restrict access to the /admin/search-appointment.php page to trusted IP addresses or VPN users to reduce exposure. 5. Conduct regular security audits and code reviews of customizations or integrations involving the affected system. 6. Maintain regular backups of the database to enable recovery in case of data tampering or loss. 7. Educate staff about the risks and signs of exploitation to enable early detection and response.