CVE-2025-6322

| EUVD-2025-18772 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18772
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
PoC Detected
Jun 26, 2025 - 21:08 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 09:15 nvd
HIGH 7.3

Tags

PHP SQLi Pre School Enrollment System

Description

A vulnerability was found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /visit.php. The manipulation of the argument gname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6322 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /visit.php file's 'gname' parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and confirmed POC availability significantly elevate real-world exploitation risk.

Technical Context

The vulnerability resides in the /visit.php file of PHPGurukul Pre-School Enrollment System, a PHP-based web application for educational institution management. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically SQL injection. The 'gname' parameter is passed to the application without proper input validation or parameterized query preparation, allowing attackers to inject malicious SQL syntax directly into database queries. This represents a classic instance of unsanitized user input being concatenated into dynamic SQL statements rather than using prepared statements with bound parameters.

Affected Products

PHPGurukul Pre-School Enrollment System version 1.0 (CPE: cpe:2.3:a:phpgurukul:pre-school_enrollment_system:1.0:*:*:*:*:*:*:*). The vulnerability affects all installations of this specific version with /visit.php accessible via HTTP/HTTPS. No patched versions or vendor advisories are currently documented in standard vulnerability databases, suggesting either limited vendor responsiveness or the system's maintenance status may be discontinued.

Remediation

Immediate remediation steps: (1) DISABLE or RESTRICT access to /visit.php via web server configuration (Apache .htaccess or Nginx rules) until patching is available; (2) IMPLEMENT input validation on the 'gname' parameter using whitelist approaches (alphanumeric characters only if applicable); (3) REFACTOR the vulnerable code to use prepared statements with parameterized queries instead of string concatenation; (4) APPLY Web Application Firewall (WAF) rules to block common SQL injection patterns in the 'gname' parameter (keywords: UNION, SELECT, OR 1=1, etc.); (5) UPGRADE to PHPGurukul version 1.1 or later if available from vendor; (6) If no patch exists, consider migrating to an actively maintained enrollment system with security patching support; (7) AUDIT database logs for evidence of prior exploitation attempts.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6322 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy