CVE-2025-11591 is a SQL injection vulnerability identified in CodeAstro Gym Management System version 1.0. The flaw exists in the /admin/actions/delete-member.php script, where the 'ID' parameter is improperly validated or sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands by manipulating the 'ID' argument, potentially leading to unauthorized access, data leakage, data modification, or deletion within the backend database. The vulnerability does not require user interaction or prior authentication, increasing its exploitability. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation but limited scope and impact compared to higher severity SQL injection flaws. No patches or fixes have been officially released yet, and no known exploits have been observed in the wild, but the public disclosure of the vulnerability increases the risk of exploitation attempts. The vulnerability primarily affects installations of CodeAstro Gym Management System 1.0, a niche product used in gym and fitness center management, which may limit the overall attack surface but still poses a significant risk to affected organizations.

The SQL injection vulnerability can allow attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized disclosure of sensitive member information, unauthorized modification or deletion of records, and disruption of gym management operations. This compromises the confidentiality, integrity, and availability of the system. For organizations relying on this software, a successful attack could result in data breaches exposing personal and payment information of gym members, loss of trust, regulatory penalties, and operational downtime. Since the vulnerability is remotely exploitable without authentication or user interaction, it presents a significant risk especially if the affected system is accessible from the internet. However, the medium CVSS score reflects some limitations in impact or exploit complexity. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, particularly after public disclosure.

1. Immediate mitigation should focus on input validation and sanitization: ensure that the 'ID' parameter in /admin/actions/delete-member.php is strictly validated to accept only expected numeric values and reject any malicious input. 2. Employ parameterized queries or prepared statements to prevent SQL injection attacks by separating SQL code from data. 3. Restrict access to the /admin/actions/delete-member.php endpoint by implementing strong authentication and IP whitelisting to reduce exposure. 4. Monitor logs for unusual or suspicious database queries or repeated failed attempts targeting the 'ID' parameter. 5. If possible, isolate the affected system behind a firewall or VPN to limit external access. 6. Engage with the vendor or community to obtain patches or updates as soon as they become available. 7. Conduct a thorough security audit of the entire application to identify and remediate other potential injection points. 8. Educate administrators and developers on secure coding practices to prevent similar vulnerabilities in future versions.