How to fix CVE-2025-5575?

Within 24 hours: Identify all systems running affected versions and isolate from production networks if possible; implement WAF rules blocking suspicious characters in the productname parameter. Within 7 days: Apply input validation and parameterized queries at the application layer; restrict database user permissions to least privilege. Within 30 days: Upgrade to a patched version or replace the affected system; conduct database audit for unauthorized access.

Is PHP affected by CVE-2025-5575?

A SQL injection vulnerability in PHPGurukul Dairy Farm Shop Management System 1.3 allows remote attackers to compromise the database through the product name field.

CVE-2025-5575

EUVD-2025-16852 HIGH

2025-06-04 [email protected]

PHP SQLi Dairy Farm Shop Management System

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16852

PoC Detected

Jun 05, 2025 - 14:07 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 07:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability classified as critical was found in PHPGurukul Dairy Farm Shop Management System 1.3. This vulnerability affects unknown code of the file /add-product.php. The manipulation of the argument productname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

PHPGurukul Dairy Farm Shop Management System version 1.3 contains a critical SQL injection vulnerability in the /add-product.php file's productname parameter that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available, creating immediate risk for all exposed installations. With a CVSS score of 7.3 (High) and evidence of public disclosure, this vulnerability should be prioritized for remediation despite the moderate CVSS rating.

Technical ContextAI

This vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The /add-product.php endpoint fails to properly sanitize or parameterize the 'productname' input parameter before incorporating it into SQL queries, allowing attackers to inject arbitrary SQL syntax. PHPGurukul applications are open-source PHP management systems commonly deployed on shared hosting and small business servers. The root cause is insufficient input validation and lack of prepared statements with parameterized queries, a foundational web application security flaw that permits data exfiltration, modification, and deletion at the database layer.

RemediationAI

Immediate remediation steps: (1) Apply input validation to the productname parameter—implement whitelist-based validation accepting only alphanumeric characters, spaces, and safe punctuation; (2) Migrate all SQL queries in /add-product.php to use prepared statements with parameterized queries (mysqli prepared statements or PDO with bound parameters); (3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in productname input until patching is complete; (4) Disable or restrict access to /add-product.php via network access controls if the feature is not actively used; (5) Contact PHPGurukul for official patch availability or consider migrating to a maintained alternative if the vendor is unresponsive. Short-term workaround: restrict HTTP POST access to /add-product.php by IP address or require VPN access to limit remote exploitation surface.

CVE-2025-5575 vulnerability details – vuln.today

Back