Skip to main content

CVE-2025-6874: SQL Injection in SourceCodester Best Salon Management System

Medium
VulnerabilityCVE-2025-6874cvecve-2025-6874
Published: Sun Jun 29 2025 (06/29/2025, 22:02:06 UTC)
Source: CVE Database V5
Vendor/Project: SourceCodester
Product: Best Salon Management System

Description

A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/add_subscribe.php. The manipulation of the argument user_id/plan_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/29/2025, 22:24:29 UTC

Technical Analysis

CVE-2025-6874 is a SQL Injection vulnerability identified in SourceCodester Best Salon Management System version 1.0, specifically within an unspecified function in the /panel/add_subscribe.php file. The vulnerability arises from improper sanitization or validation of the user-supplied parameters user_id and plan_id, which are directly used in SQL queries. This flaw allows an unauthenticated remote attacker to manipulate these parameters to inject malicious SQL code. The injection can lead to unauthorized access or modification of the underlying database, potentially exposing sensitive customer data, subscription details, or administrative information. The vulnerability does not require user interaction or authentication, making it remotely exploitable over the network. Although the CVSS 4.0 base score is 5.3 (medium severity), the classification as critical in the description suggests that the impact could be significant depending on the deployment context. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known active exploits in the wild have been reported yet. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been linked or published at this time. The lack of authentication requirement and remote exploitability make this a notable risk for organizations using this software, especially those handling sensitive client or business data in salon management environments.

Potential Impact

For European organizations using SourceCodester Best Salon Management System 1.0, this vulnerability poses a risk of unauthorized data access, data leakage, and potential data manipulation. Given that salon management systems often store personal customer information, appointment schedules, payment details, and subscription plans, exploitation could lead to breaches of personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The ability to remotely exploit the vulnerability without authentication increases the attack surface, potentially allowing attackers to compromise systems without insider access. This could disrupt business operations by corrupting subscription data or causing denial of service through database manipulation. Additionally, if attackers gain administrative database access, they could pivot to other internal systems, increasing the overall risk. The medium CVSS score suggests moderate ease of exploitation and impact, but the critical classification in the description and public exploit disclosure elevate the urgency for European entities to address this vulnerability promptly.

Mitigation Recommendations

1. Immediate mitigation should include restricting external access to the /panel/add_subscribe.php endpoint via network-level controls such as firewalls or VPNs, limiting exposure to trusted internal networks only. 2. Implement input validation and parameterized queries or prepared statements in the affected code to prevent SQL injection. Since no official patch is currently available, organizations should review and sanitize user_id and plan_id parameters rigorously. 3. Monitor web server and database logs for suspicious activity related to these parameters to detect potential exploitation attempts. 4. Conduct a thorough security audit of the entire application to identify and remediate similar injection flaws. 5. If feasible, upgrade to a newer, patched version of the software once released or consider alternative salon management solutions with better security postures. 6. Educate staff about the risks of SQL injection and ensure secure coding practices are followed for any customizations. 7. Regularly back up databases and test restoration procedures to minimize impact in case of data corruption or loss.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-28T11:06:55.338Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6861b9936f40f0eb72860547

Added to database: 6/29/2025, 10:09:23 PM

Last enriched: 6/29/2025, 10:24:29 PM

Last updated: 7/11/2025, 4:24:35 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats