CVE Alert: CVE-2025-10459 - PHPGurukul - Beauty Parlour Management System

CVE-2025-10459

HIGHNo exploitation knownPoC observed

A security flaw has been discovered in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/all-appointment.php. The manipulation of the argument delid results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.

CVSS v3.1 (7.3)

Vendor

PHPGurukul

Product

Beauty Parlour Management System

Versions

1.1

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-15T15:02:07.440Z

Updated

2025-09-15T15:22:56.149Z

References

https://vuldb.com/?id.323887

https://vuldb.com/?ctiid.323887

https://vuldb.com/?submit.648355

https://github.com/xiaoxinkaishi/cve/issues/5

https://phpgurukul.com/

AI Summary Analysis

Risk verdict

High risk: remote unauthenticated SQL injection with a publicly released PoC; urgent patching advised.

Why this matters

The flaw allows unauthenticated attackers to read, alter or exfiltrate data from the backend, potentially impacting customer records and appointment data. With automated tooling and a public PoC, sustained exploitation could lead to data loss, service disruption, or reputational damage for affected businesses.

Most likely attack path

An attacker can target the web-facing admin endpoint over the network, exploiting the delid parameter without authentication. The lack of privilege requirements (PR:N) and no user interaction (UI:N) enable automated SQL injection attempts, with scope kept to the application’s data layer, risking data exposure and integrity. If the app shares DB credentials with the web tier, deeper compromise or lateral movement becomes more feasible.

Who is most exposed

Web-based management systems used by small businesses are especially at risk when their admin interfaces are internet-facing and lack input sanitisation or a WAF. Deployments that rely on default or minimal isolation between web and database layers are particularly vulnerable.

Detection ideas

Anomalous requests to all-appointment.php with suspicious delid values.
Database errors or unusual large result sets in web/app logs.
IDS/IPS alerts for SQL injection payloads targeting PHP-generated queries.
Unusual DB connection activity from the web server.
Public PoC-related traffic patterns or automated scanning signatures.

Mitigation and prioritisation

Apply patch/update from the vendor; treat as priority while patching.
If patching is delayed, implement input validation and switch to parameterised queries; use prepared statements.
Enforce least-privilege DB access for the web user; disable detailed error messages; implement a web application firewall with SQLi rules.
Network segmentation and disable direct internet access to the admin endpoint where feasible.
Plan a staged rollout, with monitoring for anomalous DB activity post-deployment; reassess risk once patch/mitigations are in place.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: beauty-parlour-management-system, CVE, cve-2025-10459, OSINT, phpgurukul, threatintel