EUVD-2025-21261Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in PHPGurukul Student Result Management System 2.0. It has been classified as critical. Affected is an unknown function of the file /notice-details.php of the component GET Parameter Handler. The manipulation of the argument nid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7534 is a critical SQL injection vulnerability in PHPGurukul Student Result Management System 2.0, exploitable through the 'nid' GET parameter in /notice-details.php. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the application database. Public exploit disclosure and confirmed attack surface (unauthenticated, network-accessible endpoint) elevate real-world risk despite the moderate CVSS 7.3 score.
Technical ContextAI
The vulnerability resides in improper input validation and parameterization within the GET Parameter Handler of /notice-details.php. The underlying weakness is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, 'Injection'), specifically manifesting as SQL injection (CWE-89 subclass). PHPGurukul Student Result Management System 2.0 fails to sanitize or use prepared statements for the 'nid' parameter before incorporating it into SQL queries. This is a common vulnerability in legacy PHP applications that concatenate user input directly into SQL strings rather than using parameterized queries or ORM frameworks. The affected component processes GET parameters without adequate input validation, allowing attackers to break out of intended SQL syntax and inject malicious SQL commands.
RemediationAI
Immediate actions: (1) Apply input validation to the 'nid' parameter—whitelist expected format (e.g., numeric ID only) and reject malformed input; (2) Refactor /notice-details.php to use parameterized queries (prepared statements) with placeholders instead of string concatenation; Example: Use mysqli_prepare() with ? placeholders or PDO with named parameters; (3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in GET parameters (e.g., UNION, SELECT, OR 1=1 signatures) as interim mitigation; (4) Apply the principle of least privilege to database user credentials used by the application (read-only for SELECT queries if feasible). Long-term: Upgrade to a patched version when released by PHPGurukul (vendor patch details not provided in source data—contact vendor directly or monitor security advisories at phpgurukul.com or GitHub repository). No vendor advisory link provided in source intelligence.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today