CVE-2025-4761 is a SQL Injection vulnerability identified in version 2.0 of the PHPGurukul Complaint Management System, specifically within the /admin/admin-profile.php file. The vulnerability arises due to improper sanitization or validation of the 'mobilenumber' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 6.9, reflecting its network attack vector, low complexity, and no required privileges or user interaction. Exploiting this vulnerability could lead to unauthorized data access, data modification, or potentially database corruption, depending on the database permissions and structure. Although no public exploit is currently known to be actively used in the wild, the disclosure of the vulnerability increases the risk of exploitation by attackers. The lack of available patches or mitigations from the vendor at this time further exacerbates the risk for organizations using this software version. Given the critical role complaint management systems play in handling sensitive user and organizational data, this vulnerability poses a significant risk to confidentiality and integrity of data stored within affected systems.

For European organizations using PHPGurukul Complaint Management System 2.0, this vulnerability could result in unauthorized disclosure of sensitive complaint data, including personal information of customers or employees, which would violate GDPR and other data protection regulations. The integrity of complaint records could be compromised, undermining trust in organizational processes and potentially leading to legal and reputational damage. Additionally, attackers could leverage the SQL injection to escalate their access within the network or pivot to other systems, increasing the scope of impact. The availability impact is likely limited but cannot be ruled out if attackers execute destructive SQL commands. Given the remote and unauthenticated nature of the exploit, organizations face a heightened risk of automated or targeted attacks, especially if the system is internet-facing or accessible from less secure network segments.

Organizations should immediately audit their use of PHPGurukul Complaint Management System 2.0 and isolate affected instances from public internet access where possible. As no official patch is currently available, implement web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'mobilenumber' parameter in /admin/admin-profile.php. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Employ parameterized queries or prepared statements if modifying the source code is feasible. Monitor logs for suspicious database query patterns or repeated failed attempts to exploit this parameter. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. Finally, engage with the vendor or community to track patch releases and plan for prompt application once available.