CVE Alert: CVE-2025-11053 - PHPGurukul - Small CRM

CVE-2025-11053

HIGHNo exploitation known

A weakness has been identified in PHPGurukul Small CRM 4.0. This affects an unknown function of the file /forgot-password.php. Executing manipulation of the argument email can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.

CVSS v3.1 (7.3)

Vendor

PHPGurukul

Product

Small CRM

Versions

4.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-27T08:32:07.213Z

Updated

2025-09-27T08:32:07.213Z

References

https://vuldb.com/?id.326093

https://vuldb.com/?ctiid.326093

https://vuldb.com/?submit.659439

https://github.com/underatted/CVE/issues/2

https://phpgurukul.com/

AI Summary Analysis

Risk verdict

High risk due to remote, unauthenticated SQL injection via the forgot-password endpoint with public PoC availability; treat as urgent for remediation.

Why this matters

The injection can manipulate the email parameter to extract or corrupt data, potentially exposing user information or enabling partial account-related abuse. In a worst case, attackers may pivot within the web layer to access ancillary systems or perform data tampering, even though the CVSS indicates low per-impact on each component.

Most likely attack path

Attacker Citizen: remote, no authentication required, no user interaction needed. They send crafted input to forgot-password.php, triggering a database query injection. With network access and low privilege constraints, the attacker could read or modify data within the affected scope, subject to the database and web app’s trust boundaries. The absence of SKU-level UI prompts increases the likelihood of automated probes exploiting this pattern.

Who is most exposed

Internet-facing installations of PHP-based Small CRM, especially self-hosted or MSP-hosted deployments on LAMP stacks with direct access to forgot-password functionality.

Detection ideas

Anomalous SQL error messages or stack traces in web server or DB logs.
Unusual input patterns in forgot-password requests (special characters, repeated quotes).
spikes in failed authentication/ password-reset attempts.
suspicious database query narratives in application logs.
WAF alerts for SQL injection payloads targeting forgot-password.php.

Mitigation and prioritisation

Patch or upgrade to fixed code; apply parameterised queries and proper input validation.
Harden database access: least-privilege accounts, no direct web-database access, separate credentials per app.
Implement WAF rules and rate limits on the forgot-password endpoint; monitor for SQLi patterns.
Enable thorough request logging and error handling; perform staged rollout and testing.
If KEV true or EPSS ≥ 0.5 (data not provided), treat as priority 1. Absent that, prioritise patching within 1–2 sprints and validate in staging.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-11053, OSINT, phpgurukul, small-crm, threatintel