CVE-2025-5652 is a SQL Injection vulnerability identified in version 2.0 of the PHPGurukul Complaint Management System, specifically within the /admin/between-date-complaintreport.php file. The vulnerability arises due to improper sanitization or validation of the 'fromdate' and 'todate' parameters, which are used to filter complaint reports between specified dates. An attacker can manipulate these parameters to inject malicious SQL code, potentially altering the intended SQL query logic. This injection can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability is classified with a CVSS 4.0 base score of 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges (PR:L). Although no public exploits are currently known in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation. The vulnerability could allow an attacker to retrieve unauthorized data, modify database contents, or disrupt the complaint management system's normal operations, depending on the database permissions and backend implementation. The lack of patches or vendor advisories at this time necessitates immediate attention from organizations using this software version.

For European organizations utilizing PHPGurukul Complaint Management System 2.0, this vulnerability poses a tangible risk to the confidentiality and integrity of complaint data, which may include sensitive personal or organizational information. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service, undermining trust in complaint handling processes and potentially violating data protection regulations such as GDPR. Given the administrative nature of the affected module, attackers with low-level privileges could escalate their access or extract sensitive reports. This could have reputational and legal consequences, especially for public sector bodies, consumer rights organizations, or companies with significant customer service operations in Europe. The remote exploitability and lack of required user interaction increase the threat level, making timely mitigation critical to prevent data breaches or operational disruptions.

Organizations should immediately audit their use of PHPGurukul Complaint Management System 2.0 and restrict access to the /admin/between-date-complaintreport.php endpoint to trusted administrators only, ideally via network segmentation or VPN access. Input validation and parameter sanitization should be implemented or enhanced to ensure 'fromdate' and 'todate' parameters accept only valid date formats and reject any SQL metacharacters. Employing prepared statements or parameterized queries in the backend code is strongly recommended to prevent injection. Monitoring and logging access to the complaint report functionality can help detect suspicious activity. Until an official patch is released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting these parameters. Additionally, conduct regular security assessments and penetration tests focusing on this module. Finally, maintain backups of complaint data to enable recovery in case of data corruption or loss.