CVE-2025-5860 is a critical SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Maid Hiring Management System, specifically within the /admin/search-booking-request.php file. The vulnerability arises from improper sanitization or validation of the 'searchdata' parameter, which is directly used in SQL queries without adequate protection against injection attacks. This flaw allows an unauthenticated remote attacker to manipulate the SQL query logic by injecting malicious SQL code through the 'searchdata' parameter. Exploiting this vulnerability can lead to unauthorized access to the underlying database, enabling attackers to read, modify, or delete sensitive data related to booking requests and potentially other administrative information. The vulnerability is remotely exploitable without any authentication or user interaction, increasing the risk of automated exploitation. Although the CVSS 4.0 base score is 6.9, categorized as medium severity, the potential impact on confidentiality, integrity, and availability of the system is significant due to the nature of SQL injection attacks. No patches or mitigations have been officially released at the time of publication, and while no known exploits are currently reported in the wild, public disclosure of the exploit code increases the likelihood of future attacks. The vulnerability affects only version 1.0 of the product, which is a niche management system used primarily for maid hiring services, likely deployed by small to medium-sized agencies managing domestic worker bookings and related administrative tasks.

For European organizations using the PHPGurukul Maid Hiring Management System, this vulnerability poses a serious risk to the confidentiality and integrity of personal and booking data. Compromise could lead to unauthorized disclosure of sensitive client information, including personal details of domestic workers and clients, potentially violating GDPR and other data protection regulations. Integrity of booking records could be undermined, causing operational disruptions and loss of trust. Availability may also be impacted if attackers leverage SQL injection to execute destructive commands or cause database corruption. Given the administrative nature of the affected component, attackers could escalate privileges or pivot to other internal systems if the application is integrated within broader organizational IT infrastructure. The absence of authentication requirements for exploitation increases the risk of widespread automated attacks. European organizations relying on this system for managing domestic worker services must consider the reputational, legal, and operational consequences of a breach stemming from this vulnerability.

Organizations should immediately audit their use of the PHPGurukul Maid Hiring Management System version 1.0 and plan to upgrade to a patched version once available. In the absence of an official patch, implement the following mitigations: 1) Apply input validation and parameterized queries or prepared statements in the /admin/search-booking-request.php file to sanitize the 'searchdata' parameter and prevent SQL injection. 2) Restrict access to the administrative interface via network-level controls such as VPNs, IP whitelisting, or firewall rules to limit exposure to trusted users only. 3) Monitor database and application logs for unusual query patterns or repeated failed attempts indicative of injection attempts. 4) Employ Web Application Firewalls (WAF) with rules targeting SQL injection signatures to block malicious payloads. 5) Conduct regular security assessments and penetration testing focused on injection vulnerabilities. 6) Educate administrators and developers on secure coding practices to prevent similar vulnerabilities in future versions. 7) Ensure backups of critical data are maintained and tested for recovery to mitigate potential data loss from exploitation.