CVE-2025-4464 is a critical SQL Injection vulnerability identified in version 1.0 of the itsourcecode Gym Management System. The vulnerability resides in the /ajax.php endpoint, specifically in the 'save_plan' action, where the 'plan' parameter is improperly sanitized or validated. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. Exploiting this vulnerability could enable attackers to manipulate database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting the ease of remote exploitation without authentication or user interaction, but with limited impact on confidentiality, integrity, and availability. No public exploits are currently known to be actively used in the wild, but the exploit details have been disclosed publicly, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the Gym Management System, which is used to manage gym memberships, plans, and related data. Given the nature of the system, sensitive personal and payment information could be at risk if exploited.

For European organizations using the itsourcecode Gym Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer data, including personal identification and potentially payment information. Exploitation could lead to unauthorized data disclosure, data tampering, or disruption of gym management operations. This could result in reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. The remote, unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially if the system is exposed to the internet without adequate protections. Organizations relying on this software for member management and billing could face operational disruptions and loss of customer trust if the vulnerability is exploited.

To mitigate this vulnerability, affected organizations should immediately upgrade to a patched version of the itsourcecode Gym Management System once available. In the absence of an official patch, organizations should implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting the /ajax.php?action=save_plan endpoint, specifically filtering suspicious input in the 'plan' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Restrict access to the management system to trusted networks or VPNs to reduce exposure. Regularly audit and monitor database logs for unusual queries or access patterns. Additionally, organizations should review their backup and incident response plans to prepare for potential exploitation scenarios. Finally, consider isolating the vulnerable system from critical infrastructure until remediation is complete.