EUVD-2025-17040

| CVE-2025-5707 HIGH
2025-06-06 [email protected]
PHP SQLi
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17040
PoC Detected
Jun 10, 2025 - 15:00 vuln.today
Public exploit code
CVE Published
Jun 06, 2025 - 01:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registered-user-testing.php. The manipulation of the argument testtype leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

AnalysisAI

Critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System 1.0, affecting the /registered-user-testing.php file via the 'testtype' parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete sensitive database records without user interaction. The exploit has been publicly disclosed and is likely actively exploited in the wild, making this a high-priority security issue despite the moderate CVSS 7.3 score.

Technical ContextAI

The vulnerability stems from improper input validation in a PHP-based web application (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The /registered-user-testing.php endpoint directly incorporates user-supplied input from the 'testtype' parameter into SQL queries without parameterized statements or prepared statement usage. This classic SQL injection flaw allows attackers to manipulate SQL syntax, breaking out of intended query contexts to execute arbitrary database commands. The application processes user input through PHP with database operations likely performed via MySQLi or PDO without proper escaping or query parameterization.

RemediationAI

Immediate actions: (1) Apply input validation: implement strict whitelist validation for the 'testtype' parameter accepting only known valid test type values; (2) Use parameterized queries: refactor /registered-user-testing.php to use prepared statements with bound parameters in all database interactions; (3) Apply SQL escaping: at minimum, use mysqli_real_escape_string() or equivalent, though parameterized queries are strongly preferred; (4) Web Application Firewall (WAF) rules: deploy WAF signatures to block SQL injection patterns in testtype parameter; (5) Check for vendor patches via phpgurukul.com or GitHub repository; (6) If no patch available, implement query string filtering at application middleware level. For organizations unable to patch immediately: disable or restrict access to /registered-user-testing.php via network controls (IP whitelisting, VPN requirement) until patched.

Share

EUVD-2025-17040 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy