The vulnerability CVE-2025-13172 affects CodeAstro Gym Management System version 1.0, located in the /admin/view-member-report.php file. The issue is an SQL injection caused by improper handling of the 'ID' parameter, which is directly used in SQL queries without adequate sanitization or parameterization. This allows remote attackers to inject malicious SQL code by manipulating the 'ID' argument, potentially leading to unauthorized data retrieval, modification, or deletion within the backend database. The attack vector is network accessible (AV:N), requires low attack complexity (AC:L), no authentication (AT:N), and no user interaction (UI:N), but requires low privileges (PR:L), indicating that an attacker with limited access could exploit this flaw. The vulnerability impacts confidentiality, integrity, and availability, but with limited scope and impact (VC:L, VI:L, VA:L). Although no active exploits have been reported in the wild, public exploit code has been released, increasing the risk of exploitation. The lack of patches or official vendor mitigation increases urgency for organizations to implement their own controls. This vulnerability is particularly concerning for organizations that store sensitive member information such as personal details, payment data, or health records, as unauthorized access could lead to privacy violations and regulatory non-compliance. The vulnerability is categorized as medium severity with a CVSS 4.0 score of 5.3, reflecting moderate risk but significant enough to warrant immediate remediation efforts.

For European organizations using CodeAstro Gym Management System 1.0, this vulnerability poses a risk of unauthorized access to sensitive member data, including personal and potentially financial information. Exploitation could lead to data breaches, loss of member trust, and regulatory penalties under GDPR due to exposure of personal data. Integrity of the database could be compromised, allowing attackers to alter membership records or manipulate reports, potentially disrupting business operations. Availability could also be affected if attackers execute destructive SQL commands. The remote, unauthenticated nature of the attack vector increases the threat level, especially for gyms and fitness centers with internet-facing administrative portals. The medium severity rating suggests that while the impact is not catastrophic, the vulnerability could be leveraged as part of a larger attack chain or to gain foothold within the network. European organizations must consider the reputational damage and compliance risks associated with such breaches, particularly in countries with strict data protection laws.

1. Immediately restrict access to the /admin/view-member-report.php page to trusted IP addresses or VPN users to reduce exposure. 2. Implement strict input validation and sanitization on the 'ID' parameter, ensuring only expected numeric or alphanumeric values are accepted. 3. Refactor the application code to use parameterized queries or prepared statements to prevent SQL injection. 4. Conduct a comprehensive code review of all input handling in the application to identify and remediate similar vulnerabilities. 5. Monitor web server and application logs for unusual or suspicious requests targeting the 'ID' parameter or admin endpoints. 6. If possible, isolate the gym management system within a segmented network zone to limit lateral movement in case of compromise. 7. Engage with the vendor for official patches or updates and apply them promptly once available. 8. Educate administrative users about the risks and encourage strong authentication mechanisms, even though this vulnerability does not require authentication. 9. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting this endpoint. 10. Regularly back up the database and test restoration procedures to minimize impact in case of data corruption or deletion.