EUVD-2025-17040Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registered-user-testing.php. The manipulation of the argument testtype leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
AnalysisAI
Critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System 1.0, affecting the /registered-user-testing.php file via the 'testtype' parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete sensitive database records without user interaction. The exploit has been publicly disclosed and is likely actively exploited in the wild, making this a high-priority security issue despite the moderate CVSS 7.3 score.
Technical ContextAI
The vulnerability stems from improper input validation in a PHP-based web application (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The /registered-user-testing.php endpoint directly incorporates user-supplied input from the 'testtype' parameter into SQL queries without parameterized statements or prepared statement usage. This classic SQL injection flaw allows attackers to manipulate SQL syntax, breaking out of intended query contexts to execute arbitrary database commands. The application processes user input through PHP with database operations likely performed via MySQLi or PDO without proper escaping or query parameterization.
RemediationAI
Immediate actions: (1) Apply input validation: implement strict whitelist validation for the 'testtype' parameter accepting only known valid test type values; (2) Use parameterized queries: refactor /registered-user-testing.php to use prepared statements with bound parameters in all database interactions; (3) Apply SQL escaping: at minimum, use mysqli_real_escape_string() or equivalent, though parameterized queries are strongly preferred; (4) Web Application Firewall (WAF) rules: deploy WAF signatures to block SQL injection patterns in testtype parameter; (5) Check for vendor patches via phpgurukul.com or GitHub repository; (6) If no patch available, implement query string filtering at application middleware level. For organizations unable to patch immediately: disable or restrict access to /registered-user-testing.php via network controls (IP whitelisting, VPN requirement) until patched.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today