CVE-2025-4163 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Land Record System, specifically affecting the /admin/aboutus.php file. The vulnerability arises from improper sanitization or validation of the 'pagetitle' parameter, which can be manipulated by an attacker to inject malicious SQL queries. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring user interaction or prior authentication, due to the vulnerability's network accessibility and low attack complexity. The injection can potentially lead to unauthorized data disclosure, modification, or deletion, impacting the confidentiality, integrity, and availability of the land record data managed by the system. Although the CVSS 4.0 base score is 5.3 (medium severity), the vulnerability is classified as critical in the description, indicating a discrepancy likely due to the potential impact on sensitive land record information. No known exploits are currently reported in the wild, but the public disclosure of the exploit code increases the risk of exploitation. The vulnerability may also affect other parameters beyond 'pagetitle', suggesting a broader input validation issue within the application. The Land Record System is typically used by government or municipal agencies to manage property and land ownership records, making the integrity and confidentiality of this data critical. The lack of available patches or vendor advisories at the time of publication further elevates the risk for organizations using this software version.

For European organizations, particularly government agencies and municipal bodies responsible for land registry and property management, exploitation of this vulnerability could lead to severe consequences. Unauthorized access or manipulation of land records can result in fraudulent property claims, loss of public trust, legal disputes, and financial losses. The integrity of land ownership data is crucial for real estate transactions, taxation, and urban planning. A successful SQL injection attack could also expose sensitive personal data of property owners, violating data protection regulations such as GDPR. Additionally, disruption or denial of service caused by malicious queries could impair the availability of land record services, affecting administrative operations. Given the critical nature of land registry systems, the impact extends beyond IT infrastructure to socio-economic stability and governance. The medium CVSS score may underestimate the real-world impact due to the sensitivity of the data involved. Organizations relying on PHPGurukul Land Record System 1.0 should consider the threat significant and prioritize remediation.

1. Immediate mitigation should include restricting network access to the /admin/aboutus.php endpoint to trusted IP addresses or VPNs to reduce exposure. 2. Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the 'pagetitle' parameter and other input fields. 3. Conduct a thorough code review and input validation audit of all parameters in the application, especially those interacting with the database, to identify and remediate similar injection points. 4. Employ parameterized queries or prepared statements in the database access layer to prevent SQL injection. 5. If possible, upgrade to a patched or newer version of the PHPGurukul Land Record System once available. 6. Monitor logs for unusual database queries or repeated access attempts to the vulnerable endpoint. 7. Educate administrative users about the risks and signs of exploitation attempts. 8. As a longer-term measure, consider migrating to more secure and actively maintained land record management solutions that follow secure coding practices and receive regular security updates.