Skip to main content

CVE-2025-6321: SQL Injection in PHPGurukul Pre-School Enrollment System

Medium
VulnerabilityCVE-2025-6321cvecve-2025-6321
Published: Fri Jun 20 2025 (06/20/2025, 08:31:09 UTC)
Source: CVE Database V5
Vendor/Project: PHPGurukul
Product: Pre-School Enrollment System

Description

A vulnerability has been found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-subadmin.php. The manipulation of the argument sadminusername leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/20/2025, 09:01:59 UTC

Technical Analysis

CVE-2025-6321 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Pre-School Enrollment System, specifically within the /admin/add-subadmin.php file. The vulnerability arises from improper sanitization or validation of the 'sadminusername' parameter, which is susceptible to malicious input manipulation. An attacker can remotely exploit this flaw by injecting crafted SQL commands through the vulnerable parameter, potentially allowing unauthorized access to or modification of the backend database. The vulnerability does not require user interaction and can be exploited without authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that while the attack vector is network-based and requires low attack complexity, it does require some privileges (PR:L) and results in low impact on confidentiality, integrity, and availability. However, the exploit has been publicly disclosed, which may increase the likelihood of exploitation attempts. The affected system is a niche application used for managing pre-school enrollment processes, likely deployed in educational institutions or administrative bodies managing early childhood education. The lack of available patches or mitigations at the time of disclosure further elevates the risk for organizations using this software. The vulnerability could allow attackers to extract sensitive data, modify enrollment records, or escalate privileges within the application, potentially disrupting operations or compromising personal data of children and staff.

Potential Impact

For European organizations, particularly educational institutions and administrative bodies using the PHPGurukul Pre-School Enrollment System, this vulnerability poses a risk of data breaches involving sensitive personal information of children, parents, and staff. Unauthorized database access could lead to data manipulation, enrollment fraud, or leakage of confidential information, undermining trust and potentially violating GDPR regulations. The disruption of enrollment processes could affect operational continuity in schools and local education authorities. Given the public disclosure of the exploit, there is an increased risk of opportunistic attacks, especially targeting smaller institutions with limited cybersecurity resources. While the medium CVSS score suggests moderate impact, the sensitivity of the data involved and the critical nature of educational services elevate the practical consequences. Additionally, compromised systems could be leveraged as footholds for further attacks within organizational networks, increasing the overall security risk.

Mitigation Recommendations

1. Immediate mitigation should involve restricting access to the /admin/add-subadmin.php endpoint by IP whitelisting or VPN access to limit exposure. 2. Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the 'sadminusername' parameter to block malicious payloads. 3. Conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize all user inputs in the affected module. 4. If possible, isolate the enrollment system on a segmented network with strict access controls to minimize lateral movement in case of compromise. 5. Monitor database logs and application logs for unusual queries or access patterns indicative of exploitation attempts. 6. Engage with the vendor or community to obtain patches or updates; if unavailable, consider migrating to alternative enrollment systems with better security postures. 7. Educate administrative staff on the risks and signs of compromise to ensure timely incident detection and response. 8. Regularly back up enrollment data securely to enable recovery in case of data tampering.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-19T10:02:42.169Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68551ffc7ff74dad36a1fbd1

Added to database: 6/20/2025, 8:46:52 AM

Last enriched: 6/20/2025, 9:01:59 AM

Last updated: 8/11/2025, 8:08:16 AM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats