CVE-2025-13247 is a SQL injection vulnerability identified in PHPGurukul Tourism Management System version 1.0. The vulnerability exists in the /admin/user-bookings.php file, where the uid parameter is improperly sanitized, allowing attackers to inject malicious SQL code. This injection flaw enables remote attackers to manipulate backend database queries without authentication or user interaction, potentially exposing sensitive booking and user data or altering database contents. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting medium severity with network attack vector, low complexity, and no required privileges or user interaction. The impact on confidentiality, integrity, and availability is limited but significant enough to warrant attention. Although no official patches or fixes have been released, the public availability of exploit code increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche tourism management system primarily used in certain regional markets. The lack of scope or security controls in the affected function exacerbates the risk. Organizations relying on this system should urgently assess exposure and implement compensating controls.

The SQL injection vulnerability in PHPGurukul Tourism Management System 1.0 can lead to unauthorized access to sensitive booking and user data, compromising confidentiality. Attackers could also modify or delete records, impacting data integrity and potentially disrupting business operations. Since the vulnerability is remotely exploitable without authentication or user interaction, it poses a significant risk of automated or mass exploitation. The tourism sector relies heavily on accurate and confidential booking information; thus, exploitation could damage customer trust and lead to regulatory penalties for data breaches. The absence of patches means organizations remain exposed, increasing the window of opportunity for attackers. While the vulnerability does not directly affect system availability, indirect impacts such as data corruption or administrative disruption are possible. Overall, the threat could result in financial losses, reputational damage, and operational challenges for affected entities.

1. Immediately restrict access to the /admin/user-bookings.php endpoint to trusted IP addresses or internal networks using firewall rules or web server access controls. 2. Implement strong input validation and parameterized queries (prepared statements) in the uid parameter handling to prevent SQL injection. 3. Conduct a thorough code review of the entire application to identify and remediate similar injection flaws. 4. Monitor web server and database logs for unusual queries or error messages indicative of injection attempts. 5. If possible, isolate the affected system from the internet or place it behind a VPN until a patch is available. 6. Engage with PHPGurukul or the software vendor to obtain or request an official patch or update. 7. Educate administrators and developers about secure coding practices and the risks of SQL injection. 8. Consider deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection payloads targeting the uid parameter. 9. Regularly back up databases and verify backup integrity to enable recovery in case of data tampering. 10. Plan for an incident response strategy to quickly address any exploitation attempts.