CVE-2025-6318

| EUVD-2025-18729 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18729
PoC Detected
Jun 26, 2025 - 21:09 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 08:15 nvd
HIGH 7.3

Tags

PHP SQLi Pre School Enrollment System

Description

A vulnerability classified as critical was found in PHPGurukul Pre-School Enrollment System 1.0. This vulnerability affects unknown code of the file /admin/check_availability.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6318 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /admin/check_availability.php file where the 'Username' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure of exploitation details and confirmed POC availability indicate active exploitation risk in the wild.

Technical Context

This vulnerability exists in PHP-based web application code within the administrative interface of a pre-school enrollment management system. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as SQL injection—a failure to properly validate and parameterize user input before incorporating it into SQL database queries. The vulnerable endpoint /admin/check_availability.php processes the 'Username' parameter without adequate input filtering or prepared statements, allowing attackers to inject arbitrary SQL commands. The affected product is PHPGurukul Pre-School Enrollment System CPE: cpe:2.3:a:phpgurukul:pre-school_enrollment_system:1.0:*:*:*:*:*:*:*

Affected Products

Pre-School Enrollment System (['1.0'])

Remediation

Immediate Mitigation: Restrict administrative access to /admin/check_availability.php via firewall or WAF rules limiting access to trusted IP addresses only, pending patch availability Code-Level Fix: Implement parameterized queries (prepared statements) for the Username parameter in /admin/check_availability.php to neutralize SQL injection. Replace direct string concatenation with parameterized query syntax appropriate to the database driver (e.g., PDO with ? placeholders, mysqli with parameterized statements) Input Validation: Enforce strict input validation on the Username parameter: whitelist alphanumeric characters and underscores, implement length limits, reject special characters including SQL metacharacters (', ", ;, --, /*), and apply server-side validation Database Hardening: Configure database user accounts with principle of least privilege—ensure the application's database user lacks DROP, ALTER, or elevated privileges; restrict to SELECT/INSERT/UPDATE on necessary tables only Patch / Upgrade: Await and apply security patches from PHPGurukul as they become available. Monitor the vendor's advisory channels for patched version releases. Consider migrating to maintained alternatives if PHPGurukul ceases active support Detection: Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the Username parameter (e.g., rules detecting UNION, SELECT, OR 1=1, --, /* */, etc.)

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6318 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy