CVE Alert: CVE-2025-10663 – PHPGurukul – Online Course Registration
CVE-2025-10663
A vulnerability was found in PHPGurukul Online Course Registration 3.1. This affects an unknown function of the file /my-profile.php. Performing manipulation of the argument cgpa results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated SQL injection via the cgpa parameter with publicly available exploit code; urgency to patch or mitigate is warranted.
Why this matters
Public PoC increases likelihood of widespread exploitation attempts, potentially exposing or tampering with student records and related data. If attacker gains access to the underlying database, integrity and availability of the registration system could be disrupted, with regulatory and reputational consequences for the organisation.
Most likely attack path
- Attacker visits the vulnerable endpoint over the internet and submits crafted input to cgpa without authentication.
- The injection allows manipulation of the backend database, enabling data disclosure or modification with no user interaction required.
- With Scope unchanged, exploitation could facilitate limited lateral access within the app’s database context; elevated access would depend on the DB permissions granted to the web app account.
Who is most exposed
Publicly reachable PHP-based course registration platforms on typical LAMP or LEMP stacks, especially those deployed on shared or modest cloud hosting, are most at risk.
Detection ideas
- Web server logs show repeated requests to /my-profile.php with suspicious cgpa values or SQL syntax.
- Application logs or error traces reveal SQL errors or database anomalies (e.g., unexpected quotes, UNION/SELECT payloads).
- IDS/IPS or WAF alerts trigger on common SQLi payloads targeting the cgpa parameter.
- Unusual spikes in DB queries or access from the web app account.
- Out-of-band data exfiltration indicators or anomalous data access patterns.
Mitigation and prioritisation
- Apply any vendor patch or upgrade; if unavailable, implement strict input validation and convert queries to parameterised statements (prepared queries) for all cgpa inputs.
- Enforce least-privilege database accounts and disable dynamic SQL in the affected code paths.
- Add web application firewall rules to block common SQL injection patterns against the endpoint.
- Disable or tightly validate the cgpa parameter; consider server-side input validation and error handling to avoid leaking DB details.
- Plan remediation within the next patch cycle; implement monitoring and alerting for the vulnerable URL and related DB activity.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
