Skip to main content

CVE-2025-6322: SQL Injection in PHPGurukul Pre-School Enrollment System

Medium
VulnerabilityCVE-2025-6322cvecve-2025-6322
Published: Fri Jun 20 2025 (06/20/2025, 09:00:16 UTC)
Source: CVE Database V5
Vendor/Project: PHPGurukul
Product: Pre-School Enrollment System

Description

A vulnerability was found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /visit.php. The manipulation of the argument gname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/20/2025, 09:32:10 UTC

Technical Analysis

CVE-2025-6322 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Pre-School Enrollment System, specifically within the /visit.php file. The vulnerability arises due to improper sanitization or validation of the 'gname' parameter, which an attacker can manipulate to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database without requiring any user interaction or privileges. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 6.9, reflecting its potential to impact confidentiality, integrity, and availability to a limited extent. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The vulnerability does not affect system confidentiality, integrity, or availability in a complete manner but does have low impact on each (VC:L, VI:L, VA:L). The scope remains unchanged (S:U), and there is a proof-of-concept exploit publicly disclosed, although no known widespread exploitation has been reported. The lack of patches or mitigations currently available increases the risk for organizations using this software. Given that this system is used for pre-school enrollment, the database likely contains sensitive personal information about children and their families, making data confidentiality and integrity critical. Exploitation could lead to unauthorized data disclosure, data manipulation, or denial of service through database corruption or resource exhaustion. The vulnerability stems from a common web application security flaw—SQL Injection—highlighting the need for secure coding practices such as parameterized queries and input validation.

Potential Impact

For European organizations using PHPGurukul Pre-School Enrollment System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive personal data related to children and their guardians. Exploitation could result in unauthorized access to enrollment records, potentially exposing personally identifiable information (PII) and violating data protection regulations such as GDPR. Data manipulation could disrupt enrollment processes, leading to operational disruptions and reputational damage. Although the vulnerability does not directly enable privilege escalation or system-wide compromise, the ability to execute arbitrary SQL commands remotely without authentication increases the attack surface considerably. The lack of patches means organizations remain exposed until mitigations are applied. Additionally, the public disclosure of the exploit code raises the likelihood of opportunistic attacks targeting vulnerable installations. Given the critical nature of educational data and the regulatory environment in Europe, exploitation could also result in legal and compliance consequences for affected entities.

Mitigation Recommendations

Organizations should immediately conduct an inventory to identify any deployments of PHPGurukul Pre-School Enrollment System version 1.0. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'gname' parameter in /visit.php. 2) Apply input validation and sanitization at the application or proxy level to reject suspicious input patterns. 3) Restrict database user permissions to the minimum necessary, ensuring that the database account used by the application has limited privileges to reduce potential damage from injection attacks. 4) Monitor database query logs and web server logs for anomalous activity indicative of SQL injection attempts. 5) Where feasible, isolate the enrollment system behind network segmentation to limit exposure. 6) Plan for an upgrade or replacement of the vulnerable system with a version that addresses this vulnerability or an alternative solution. 7) Educate IT and security teams about this vulnerability and the importance of secure coding practices to prevent similar issues in future deployments.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-19T10:02:44.882Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 685527027ff74dad36a21961

Added to database: 6/20/2025, 9:16:50 AM

Last enriched: 6/20/2025, 9:32:10 AM

Last updated: 8/15/2025, 6:50:28 PM

Views: 26

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats