CVE-2025-5653 is a SQL Injection vulnerability identified in version 2.0 of the PHPGurukul Complaint Management System, specifically within the /admin/between-date-userreport.php file. The vulnerability arises due to improper sanitization or validation of the 'fromdate' and 'todate' parameters, which are used to filter user reports by date. An attacker can manipulate these parameters to inject malicious SQL code, potentially altering the intended database queries. This can lead to unauthorized data access, data leakage, or modification of database contents. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) shows that the attack can be launched over the network with low attack complexity, no user interaction, and requires low privileges. The impact on confidentiality, integrity, and availability is limited but present. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, which may lead to exploitation attempts. No official patches or mitigation links have been provided yet, increasing the urgency for organizations to implement protective measures.

For European organizations using PHPGurukul Complaint Management System 2.0, this vulnerability poses a risk of unauthorized access to sensitive complaint data, which may include personal information protected under GDPR. Exploitation could lead to data breaches, reputational damage, and potential regulatory penalties. The ability to manipulate database queries remotely without authentication increases the threat level, especially for organizations with publicly accessible administrative interfaces. The integrity of complaint records could be compromised, affecting operational reliability and trustworthiness of the system. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within the affected organization's infrastructure. Given the critical nature of complaint management systems in customer service and compliance workflows, disruption or data compromise could have significant operational and legal consequences.

1. Immediate mitigation should include restricting access to the /admin/between-date-userreport.php endpoint by IP whitelisting or VPN-only access to limit exposure. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'fromdate' and 'todate' parameters. 3. Conduct manual code review and apply input validation and parameterized queries or prepared statements to sanitize user inputs properly. 4. If possible, upgrade to a patched version once available from PHPGurukul or apply community-provided patches. 5. Monitor logs for unusual query patterns or repeated access attempts to the vulnerable endpoint. 6. Educate administrators on the risk and ensure strong authentication and session management controls are in place to reduce the impact of potential exploitation. 7. Consider isolating the complaint management system from critical internal networks to limit lateral movement in case of compromise.