CVE-2025-4758 is a SQL Injection vulnerability identified in version 1.1 of the PHPGurukul Beauty Parlour Management System, specifically within the /contact.php file. The vulnerability arises from improper sanitization or validation of the 'fname' parameter, which is susceptible to malicious SQL payloads. An attacker can remotely exploit this flaw without requiring authentication or user interaction, allowing them to manipulate backend SQL queries. This can lead to unauthorized data access, data modification, or potentially full database compromise. Although the CVSS 4.0 score is 6.9 (medium severity), the vulnerability's remote exploitation and lack of required privileges make it a significant risk. The disclosure of the exploit to the public increases the likelihood of exploitation attempts. Other parameters in the same or related files might also be vulnerable, indicating a broader input validation issue within the application. The absence of available patches or mitigations from the vendor further elevates the risk for users of this software version.

For European organizations using the PHPGurukul Beauty Parlour Management System version 1.1, this vulnerability poses a risk of unauthorized access to sensitive customer and business data stored within the application's database. Compromise could lead to exposure of personal identifiable information (PII), appointment details, payment information, and internal business records. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations), financial losses, and operational disruptions. Given the nature of beauty parlour management systems, which often handle customer bookings and payment data, the confidentiality and integrity of data are at risk. Additionally, attackers could leverage the vulnerability to pivot within the network if the system is connected to broader enterprise infrastructure. The remote, unauthenticated nature of the exploit increases the risk of widespread attacks, especially if the software is publicly accessible on the internet.

Organizations should immediately audit their use of PHPGurukul Beauty Parlour Management System version 1.1 and identify any exposed instances. Since no official patch is currently available, the following mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the 'fname' parameter and other input fields; 2) Restrict external access to the management system by network segmentation or VPN access only; 3) Conduct input validation and sanitization at the application or proxy level to neutralize malicious inputs; 4) Monitor logs for suspicious query patterns or repeated failed attempts indicative of exploitation; 5) Consider upgrading to a newer, patched version if available or migrating to alternative software with better security posture; 6) Regularly back up databases and ensure backups are secure to enable recovery in case of compromise; 7) Educate staff about the risks and signs of compromise related to this system. These steps go beyond generic advice by focusing on compensating controls and proactive monitoring in the absence of a vendor patch.