Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10840

CVE-2025-10840: Pet Grooming Management Software SQLi Flaw

CVE-2025-10840 is an SQL injection vulnerability in Mayurik Pet Grooming Management Software 1.0 affecting the /admin/print-payment.php file. This article covers the technical details, attack vectors, and mitigation strategies.

Published:

CVE-2025-10840 Overview

CVE-2025-10840 is a SQL injection vulnerability in SourceCodester Pet Grooming Management Software 1.0, developed by Mayurik. The flaw resides in the /admin/print-payment.php file, where the sql111 parameter is passed unsanitized to a backend database query. Remote attackers with low-level privileges can manipulate this argument to execute arbitrary SQL statements against the underlying database. The vulnerability has been publicly disclosed, and exploit details are available on GitHub. It is categorized under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Authenticated remote attackers can inject arbitrary SQL queries through the sql111 parameter in /admin/print-payment.php, potentially exposing or modifying payment records and other database content.

Affected Products

  • Mayurik Pet Grooming Management Software 1.0
  • SourceCodester distribution of Pet Grooming Management Software
  • CPE: cpe:2.3:a:mayurik:pet_grooming_management_software:1.0

Discovery Timeline

  • 2025-09-23 - CVE CVE-2025-10840 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10840

Vulnerability Analysis

The vulnerability exists in the administrative payment-printing component of Pet Grooming Management Software 1.0. The script /admin/print-payment.php accepts user-controlled input through the sql111 request parameter. This input flows directly into a SQL query without parameterization or input validation. An authenticated attacker can append SQL syntax to alter query logic, extract data through UNION-based payloads, or use time-based techniques to enumerate database contents.

The attack is remotely exploitable over the network and requires only low-level privileges on the target application. Exploitation does not require user interaction. Public exploit information is available through a GitHub report and VulDB entries, lowering the technical barrier for attackers. The EPSS probability for this issue is 0.058% (18th percentile), indicating limited current exploitation activity.

Root Cause

The root cause is improper neutralization of special elements passed to the SQL interpreter [CWE-74]. The print-payment.php script concatenates the sql111 parameter into a query string instead of using prepared statements with bound parameters. Any attacker-supplied SQL metacharacters are executed by the MySQL backend with the privileges of the application database user.

Attack Vector

An attacker authenticates to the application's admin interface and issues a crafted HTTP request to /admin/print-payment.php, supplying malicious SQL syntax in the sql111 parameter. Because the parameter is interpolated into the query, the database executes the attacker payload. Typical exploitation produces data disclosure, record tampering, or in some deployments file read/write through MySQL functions such as LOAD_FILE or INTO OUTFILE.

For technical details, see the GitHub SQL Injection Report and the VulDB ID #325202 record.

Detection Methods for CVE-2025-10840

Indicators of Compromise

  • HTTP requests to /admin/print-payment.php containing the sql111 parameter with SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA.
  • Anomalous database query patterns originating from the web application user, including queries against mysql.user or schema metadata.
  • Web server access logs showing repeated requests to print-payment.php from a single client with varying parameter values.
  • Outbound DNS or HTTP traffic from the database host that correlates with out-of-band SQL injection techniques.

Detection Strategies

  • Deploy web application firewall rules to flag SQL keywords and metacharacters in the sql111 parameter of /admin/print-payment.php.
  • Enable MySQL general or audit logging and alert on queries containing concatenated input from the web tier.
  • Inspect application logs for HTTP 500 errors or unusually long response times tied to print-payment.php, which often signal injection attempts.

Monitoring Recommendations

  • Centralize web server, application, and database logs into a SIEM and correlate by source IP and session identifier.
  • Track baseline query volume and parameter cardinality for the admin endpoints to detect deviations.
  • Monitor administrative account logins to the Pet Grooming Management Software for unexpected source addresses or off-hours activity.

How to Mitigate CVE-2025-10840

Immediate Actions Required

  • Restrict network access to the /admin/ directory using IP allowlists or VPN-only access until a fix is available.
  • Audit administrative accounts and rotate credentials, removing unused or shared logins that could be leveraged for exploitation.
  • Place a web application firewall in front of the application with rules blocking SQL metacharacters in the sql111 parameter.
  • Review database logs and payment records for signs of unauthorized queries or data modification.

Patch Information

No vendor patch is currently listed for SourceCodester Pet Grooming Management Software 1.0. Administrators should monitor the SourceCodester Security Resources page for updates and consider migrating to an alternative, actively maintained application if no fix is released.

Workarounds

  • Modify print-payment.php to use parameterized queries with PDO or mysqli prepared statements instead of concatenating sql111 into the SQL string.
  • Apply server-side input validation that restricts sql111 to expected character sets, such as numeric identifiers.
  • Run the application database user with the minimum privileges required, disabling FILE privileges and write access to non-essential tables.
  • Disable or remove the print-payment.php endpoint if it is not required for business operations.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.