CodeAstro Gym Management System CVE-2025-11589
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in CodeAstro Gym Management System 1.0. Affected is an unknown function of the file /admin/user-payment.php. Performing a manipulation of the argument plan results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the plan parameter in /admin/user-payment.php, resulting in limited data access. The vulnerability requires valid login credentials and has low real-world impact due to constrained scope (no server impact, no integrity violation), though publicly available exploit code exists and exploitation probability is minimal per EPSS analysis.
Technical ContextAI
The vulnerability resides in the /admin/user-payment.php endpoint, a PHP web application component handling payment-related operations. The vulnerable parameter 'plan' fails to properly sanitize or parameterize user input before incorporation into SQL queries, violating secure coding practices for database interaction (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The attack surface is limited to authenticated administrators, and the SQL injection permits only confidentiality violations without server-side impact, suggesting the injection context is read-only or constrained to SELECT statements without UNION-based data exfiltration or stacked queries.
RemediationAI
Update CodeAstro Gym Management System to a patched version beyond 1.0 if available from the vendor at https://codeastro.com/. If no vendor patch is available, implement prepared statements or parameterized queries for all database operations in /admin/user-payment.php to neutralize SQL injection vectors. Restrict access to /admin/user-payment.php to trusted administrator IP ranges via firewall or Web Application Firewall (WAF) rules-this reduces exposure without requiring code changes but does not eliminate the vulnerability if an admin account is compromised. Input validation on the 'plan' parameter should enforce whitelist-based values (e.g., only permit known plan IDs or names) and reject special SQL characters; this is a compensating control but is less reliable than parameterization. Enforce strong password policies and multi-factor authentication for all administrative accounts to reduce compromise probability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today