CVE-2025-4362 is a critical SQL Injection vulnerability identified in version 1.0 of the itsourcecode Gym Management System. The vulnerability exists in the /ajax.php endpoint, specifically when processing the 'member_id' parameter during the 'save_membership' action. An attacker can remotely exploit this flaw by manipulating the 'member_id' argument to inject malicious SQL code. This injection can lead to unauthorized access, data leakage, or modification of the backend database. The vulnerability requires no authentication or user interaction, making it highly accessible for exploitation. The CVSS 4.0 score is 6.9, indicating a medium severity level, primarily due to limited impact on confidentiality, integrity, and availability (all rated low to limited). No known exploits are currently reported in the wild, but the public disclosure increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no patches have been published yet. The lack of authentication and remote attack vector significantly increases the attack surface, especially for organizations using this system to manage sensitive membership data.

For European organizations using the itsourcecode Gym Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of member data. Successful exploitation could lead to unauthorized disclosure of personal information, membership details, and potentially payment or health-related data stored within the system. This could result in regulatory non-compliance, especially under GDPR, leading to legal penalties and reputational damage. The integrity of membership records could be compromised, affecting billing, access control, and operational continuity. Although availability impact is limited, data manipulation or unauthorized access could disrupt gym operations. Given the remote and unauthenticated nature of the exploit, attackers could automate attacks at scale, targeting multiple organizations simultaneously. The public disclosure increases the urgency for European organizations to assess and mitigate this risk promptly.

Organizations should immediately audit their use of the itsourcecode Gym Management System to identify affected installations running version 1.0. Until an official patch is released, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'member_id' parameter on the /ajax.php?action=save_membership endpoint. Input validation and parameterized queries should be enforced at the application level to sanitize all user inputs. Network segmentation can limit exposure of the management system to trusted internal networks only. Regularly monitor logs for suspicious activity related to this endpoint. Engage with the vendor for patch timelines and consider upgrading to a newer, patched version once available. If feasible, temporarily disable or restrict access to the vulnerable functionality to reduce risk. Additionally, conduct penetration testing to verify the effectiveness of mitigations and ensure no other injection points exist.