CVE-2025-5577

| EUVD-2025-16857 HIGH
2025-06-04 [email protected]
PHP SQLi Dairy Farm Shop Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16857
PoC Detected
Jun 04, 2025 - 18:28 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 08:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability, which was classified as critical, was found in PHPGurukul Dairy Farm Shop Management System 1.3. Affected is an unknown function of the file /profile.php. The manipulation of the argument mobilenumber leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection vulnerability in PHPGurukul Dairy Farm Shop Management System version 1.3, specifically in the /profile.php file's mobilenumber parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and carries a CVSS score of 7.3 (high severity), though the actual exploitability depends on database configuration and input filtering implementation.

Technical ContextAI

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifested as SQL injection in a PHP-based web application. The /profile.php file fails to properly sanitize or parameterize the 'mobilenumber' parameter before incorporating it into SQL queries. PHPGurukul Dairy Farm Shop Management System is a PHP-based e-commerce solution for farm product management. The root cause is inadequate input validation and lack of prepared statements or parameterized queries (e.g., using mysqli prepared statements or PDO parameterized queries). The attack surface includes any unauthenticated user who can access the /profile.php endpoint, as indicated by the CVSS vector's PR:N (No Privileges Required) and UI:N (No User Interaction) metrics.

RemediationAI

Immediate actions: (1) Patch to the latest available version of PHPGurukul Dairy Farm Shop Management System if a security update has been released—consult the official PHPGurukul repository or vendor advisories for patch availability and version numbers. (2) Implement input validation by using prepared statements or parameterized queries for all database interactions in /profile.php, specifically for the mobilenumber parameter. (3) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the mobilenumber parameter (e.g., regex filters for SQL keywords, comment sequences). (4) Restrict access to /profile.php to authenticated users only if the functionality permits, or implement rate limiting and CAPTCHA to reduce automated exploitation. (5) Conduct code review of all user input handlers in profile.php and related files. (6) Enable and monitor database query logs for suspicious activity. If patches are unavailable, apply vendor-provided workarounds or consider switching to actively maintained alternatives. Consult the official PHPGurukul GitHub repository or security advisory channels for patch details.

Share

CVE-2025-5577 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy