CVE Alert: CVE-2025-10087 – SourceCodester – Pet Grooming Management Software
CVE-2025-10087
A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/profit_report.php. Such manipulation of the argument product_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
Medium risk with remote SQL injection potential; public PoC and advisory signals warrant prompt action, especially for exposed deployments.
Why this matters
The flaw allows manipulation of a web-facing parameter to trigger SQL injection, risking data exposure or modification. Business impact can include customer data leakage, incomplete reports, or database integrity issues, affecting regulatory posture and trust.
Most likely attack path
An attacker with remote access and administrative credentials could craft product_id input to trigger SQL injection in a server-side PHP endpoint. Exploitation hinges on high-privilege DB access (PR:H) but no user interaction, so a compromised admin session could lead to data enumeration or modification. Lateral movement is plausible only if the attacker gains broader DB permissions or admin access.
Who is most exposed
Typical small-business deployments of web-based pet-care software on publicly reachable servers (often LAMP stacks) with admin interfaces exposed to the internet are at greatest risk, especially where admin credentials or MFA controls are weak.
Detection ideas
- Look for SQL error messages or anomalous responses from profit_report.php during normal report requests.
- Web logs showing unusual or crafted product_id values or repetitive payloads targeting SQL syntax.
- DB logs indicating unexpected query patterns (information_schema access, UNION-based payloads).
- Sudden spikes in admin session activity or failed authentication attempts.
- Alerts for data exfiltration indicators around the affected report endpoints.
Mitigation and prioritisation
- Apply vendor patch or upgrade to fixed version when available; if not, apply compensating controls immediately.
- Implement WAF rules to block SQL injection patterns targeting profit_report.php; restrict access to the admin panel by IP or VPN; disable remote access to the endpoint where feasible.
- Enforce least privilege for the DB user used by the application; rotate admin credentials and enable MFA for admin accounts.
- Ensure all input is parameterised and code reviews validate the use of prepared statements for product_id.
- Enable enhanced logging and rapid-change monitoring; test fixes in a staging environment before production.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
