EUVD-2025-17420Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability has been found in PHPGurukul BP Monitoring Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /registration.php. The manipulation of the argument emailid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in PHPGurukul BP Monitoring Management System version 1.0, specifically in the /registration.php file's emailid parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit details available, creating immediate risk for unpatched installations.
Technical ContextAI
The vulnerability exists in PHPGurukul BP Monitoring Management System 1.0, a PHP-based web application for blood pressure monitoring management. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), which in this context manifests as SQL injection. The emailid parameter in /registration.php fails to properly sanitize or parameterize user input before incorporating it into SQL queries. This allows attackers to inject malicious SQL syntax that gets executed by the backend database, typically MySQL or similar relational database systems used with PHP applications. The flaw is present in the application's user registration functionality, a common entry point since it typically accepts unauthenticated input.
RemediationAI
Immediate actions: (1) PATCH: Contact PHPGurukul or check their repository/website for version 1.1 or later with SQL injection fixes—if no official patch exists, migrate to an alternative maintained BP monitoring system; (2) INPUT VALIDATION: Implement parameterized queries (prepared statements) for all database interactions, specifically the /registration.php emailid parameter using bound parameters instead of string concatenation; (3) WEB APPLICATION FIREWALL (WAF): Deploy WAF rules to detect and block SQL injection attempts targeting /registration.php (detect common SQL keywords in emailid parameter); (4) DATABASE HARDENING: Limit database user permissions to minimal required privileges (principle of least privilege); (5) MONITORING: Enable SQL query logging and audit logging for registration endpoints to detect exploitation attempts; (6) DISABLE if not essential: If the registration functionality is not required, disable the /registration.php endpoint or restrict access by IP. Long-term: Migrate to actively maintained, security-reviewed BP monitoring software with regular security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today