CVE Alert: CVE-2025-9930 - 1000projects - Beauty Parlour Management System

CVE-2025-9930

HIGHNo exploitation knownPoC observed

A security vulnerability has been detected in 1000projects Beauty Parlour Management System 1.0. This impacts an unknown function of the file /admin/contact-us.php. The manipulation of the argument mobnumber leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

CVSS v3.1 (7.3)

Vendor

1000projects

Product

Beauty Parlour Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-03T21:32:09.494Z

Updated

2025-09-04T19:58:49.699Z

References

https://vuldb.com/?id.322332

https://vuldb.com/?ctiid.322332

https://vuldb.com/?submit.642912

https://github.com/Miker132/CVE-/issues/2

AI Summary Analysis

Risk verdict

High risk. Publicly disclosed, remote SQL injection with a PoC available; exploitation could proceed without authentication, warranting urgent attention.

Why this matters

The vulnerability targets a web-facing admin function, enabling an attacker to access or alter database content via the mobnumber parameter. In small-business deployments, this can lead to customer data exposure, credential leakage, or service disruption, potentially damaging trust and regulatory standing.

Most likely attack path

An attacker sends crafted input to /admin/contact-us.php without requiring credentials or user interaction (AV:N, PR:N, UI:N). With AC:L, database access could allow reading or modifying data and possibly moving within the affected scope. The lack of user interaction and network-based vector heightens the likelihood of automated probing and exploitation, though impact is partial (C/L I/L A/L) and scope remains unchanged.

Who is most exposed

Web deployments of the Beauty Parlour Management System with publicly reachable admin endpoints are most at risk—common on self-hosted or lightly protected hosting environments used by small salons and clinics.

Detection ideas

SQL error messages or anomaly in responses from /admin/contact-us.php in logs.
Spike in requests with unusual mobnumber values or SQLi-like payloads.
WAF/IDS alerts for classic SQL injection patterns in query strings.
Unusual database query latency or increased DB errors from the application host.

Mitigation and prioritisation

Patch to vendor-released update immediately; if unavailable, apply input validation and parameterised queries (prepared statements) for all user-supplied data, especially mobnumber.
Restrict access to the admin endpoint, add authentication, and deploy web app firewall rules targeting SQLi patterns.
Audit and harden database permissions; disable unnecessary dynamic SQL.
Change-management: test fixes in staging, then rollout across environments; monitor for anomalous access attempts.
If KEV present or EPSS ≥ 0.5, treat as priority 1; otherwise classify as high-priority remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: 1000projects, beauty-parlour-management-system, CVE, cve-2025-9930, OSINT, threatintel