CVE-2025-6319 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Pre-School Enrollment System, specifically within the /admin/add-teacher.php file. The vulnerability arises from improper sanitization or validation of the 'tsubject' parameter, which is directly used in SQL queries without adequate escaping or parameterization. This flaw allows an unauthenticated remote attacker to inject arbitrary SQL commands by manipulating the 'tsubject' argument, potentially leading to unauthorized access, data leakage, or modification of the backend database. Although the vulnerability requires low privileges (PR:L) and no user interaction (UI:N), it has a limited scope of impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The CVSS 4.0 base score is 5.3, categorizing it as a medium severity issue. The vulnerability is publicly disclosed, but no known exploits are currently observed in the wild. The affected product is a niche web application used for managing pre-school enrollment processes, which likely stores sensitive personal data of children, parents, and staff. The attack vector is network-based (AV:N), meaning exploitation can be attempted remotely over the internet or internal networks where the application is accessible. The vulnerability does not require authentication, increasing the risk of exploitation if the application is exposed externally. However, the impact is somewhat limited by the requirement of low privileges and the limited scope of data exposure or modification. The lack of available patches or vendor advisories at this time increases the urgency for organizations to implement compensating controls to mitigate risk.

For European organizations using the PHPGurukul Pre-School Enrollment System 1.0, this vulnerability could lead to unauthorized disclosure or manipulation of sensitive enrollment data, including personal information of children and staff. Such data breaches could result in regulatory non-compliance under GDPR, leading to significant fines and reputational damage. The SQL Injection could also allow attackers to escalate privileges within the application or pivot to other internal systems if the database contains credentials or other sensitive configuration data. Given the critical nature of educational data and the protection requirements for minors, exploitation could have severe privacy implications. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the overall impact on system availability or full database compromise is limited. However, the presence of this vulnerability in administrative functionality increases risk if attackers gain access to administrative interfaces. Organizations operating in the education sector or managing child-related data in Europe should consider this a priority issue to prevent potential data breaches and maintain compliance with data protection laws.

1. Immediate mitigation should include restricting access to the /admin/add-teacher.php endpoint via network-level controls such as IP whitelisting or VPN access to limit exposure to trusted administrators only. 2. Implement Web Application Firewall (WAF) rules specifically targeting SQL Injection patterns on the 'tsubject' parameter to detect and block malicious payloads. 3. Conduct a thorough code review and refactor the vulnerable code to use parameterized queries or prepared statements to eliminate SQL Injection risks. 4. If patching is not yet available, consider deploying application-layer input validation and sanitization for all user-supplied inputs, especially the 'tsubject' parameter. 5. Monitor application logs for unusual query patterns or repeated failed attempts targeting the vulnerable parameter. 6. Educate administrative users about the risks of exposing administrative interfaces publicly and enforce strong authentication and session management controls. 7. Plan for an urgent update or migration to a patched version once available from the vendor or consider alternative enrollment systems with better security track records. 8. Regularly back up enrollment data securely to enable recovery in case of data tampering or loss.