CVE-2025-6874 is a SQL Injection vulnerability identified in SourceCodester Best Salon Management System version 1.0, specifically within an unspecified function in the /panel/add_subscribe.php file. The vulnerability arises from improper sanitization or validation of the user-supplied parameters user_id and plan_id, which are directly used in SQL queries. This flaw allows an unauthenticated remote attacker to manipulate these parameters to inject malicious SQL code. The injection can lead to unauthorized access or modification of the underlying database, potentially exposing sensitive customer data, subscription details, or administrative information. The vulnerability does not require user interaction or authentication, making it remotely exploitable over the network. Although the CVSS 4.0 base score is 5.3 (medium severity), the classification as critical in the description suggests that the impact could be significant depending on the deployment context. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known active exploits in the wild have been reported yet. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been linked or published at this time. The lack of authentication requirement and remote exploitability make this a notable risk for organizations using this software, especially those handling sensitive client or business data in salon management environments.

For European organizations using SourceCodester Best Salon Management System 1.0, this vulnerability poses a risk of unauthorized data access, data leakage, and potential data manipulation. Given that salon management systems often store personal customer information, appointment schedules, payment details, and subscription plans, exploitation could lead to breaches of personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The ability to remotely exploit the vulnerability without authentication increases the attack surface, potentially allowing attackers to compromise systems without insider access. This could disrupt business operations by corrupting subscription data or causing denial of service through database manipulation. Additionally, if attackers gain administrative database access, they could pivot to other internal systems, increasing the overall risk. The medium CVSS score suggests moderate ease of exploitation and impact, but the critical classification in the description and public exploit disclosure elevate the urgency for European entities to address this vulnerability promptly.

1. Immediate mitigation should include restricting external access to the /panel/add_subscribe.php endpoint via network-level controls such as firewalls or VPNs, limiting exposure to trusted internal networks only. 2. Implement input validation and parameterized queries or prepared statements in the affected code to prevent SQL injection. Since no official patch is currently available, organizations should review and sanitize user_id and plan_id parameters rigorously. 3. Monitor web server and database logs for suspicious activity related to these parameters to detect potential exploitation attempts. 4. Conduct a thorough security audit of the entire application to identify and remediate similar injection flaws. 5. If feasible, upgrade to a newer, patched version of the software once released or consider alternative salon management solutions with better security postures. 6. Educate staff about the risks of SQL injection and ensure secure coding practices are followed for any customizations. 7. Regularly back up databases and test restoration procedures to minimize impact in case of data corruption or loss.