CVE-2025-11330: Beauty Parlour Management System SQLi Flaw

CVE-2025-11330 Overview

CVE-2025-11330 is a SQL injection vulnerability in PHPGurukul Beauty Parlour Management System 1.1. The flaw resides in the /admin/sales-reports-detail.php script, where the fromdate and todate request parameters are passed into a database query without proper sanitization. Authenticated remote attackers can manipulate these parameters to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the risk of opportunistic use against exposed installations. The weakness is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact
Authenticated attackers can inject SQL via the fromdate and todate parameters on the sales reports admin page, exposing or modifying backend database content.

Affected Products

PHPGurukul Beauty Parlour Management System 1.1
Component: /admin/sales-reports-detail.php
Vendor: PHPGurukul

Discovery Timeline

2025-10-06 - CVE-2025-11330 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-11330

Vulnerability Analysis

The vulnerability exists in the admin-side sales reporting feature of PHPGurukul Beauty Parlour Management System 1.1. The sales-reports-detail.php script accepts user-supplied fromdate and todate values and concatenates them directly into a SQL query. Because the application does not use parameterized queries or input validation, an attacker can inject SQL syntax through these parameters.

Exploitation requires network access to the admin interface and low-privilege authentication, as reflected by the CVSS 4.0 vector indicating PR:L. Successful injection allows attackers to read sensitive records, modify report data, or enumerate the underlying MySQL schema. The exploit has been publicly disclosed through VulDB entry 327213 and corresponding GitHub issues.

Root Cause

The root cause is the absence of input neutralization on the fromdate and todate HTTP parameters before they are concatenated into a SQL statement. PHPGurukul code in this release relies on raw string interpolation instead of prepared statements with bound parameters, which violates safe database access practices and produces a classic injection flaw under [CWE-74].

Attack Vector

The attack is remote and conducted over HTTP against the admin endpoint. After authenticating to the admin panel, the attacker submits a crafted request containing SQL meta-characters (for example, ', UNION SELECT, or boolean payloads) in the fromdate or todate fields of the sales report query. The injected payload executes within the context of the database user configured for the application.

No verified proof-of-concept code is provided in the upstream advisory. See the GitHub Issue #6 and GitHub Issue #7 submissions, plus VulDB #327213, for additional technical context.

Detection Methods for CVE-2025-11330

Indicators of Compromise

HTTP requests to /admin/sales-reports-detail.php containing SQL meta-characters such as ', --, UNION, SLEEP(, or OR 1=1 in fromdate or todate parameters.
Web server access logs showing repeated admin authentication attempts followed by malformed report queries.
MySQL error log entries referencing syntax errors originating from the sales reports module.
Unexpected data exports or large SELECT responses from the application database user.

Detection Strategies

Inspect web server and PHP error logs for SQL syntax errors tied to sales-reports-detail.php.
Deploy a Web Application Firewall (WAF) rule that flags SQL keywords in date parameters where only YYYY-MM-DD values are expected.
Correlate admin session activity with anomalous database query volume or duration in MySQL slow query logs.

Monitoring Recommendations

Enable MySQL general query logging during incident response to capture injected statements.
Forward web server, PHP, and database logs to a centralized analytics platform for keyword and pattern alerting.
Alert on any administrative request whose fromdate or todate parameter fails strict date format validation at the proxy layer.

How to Mitigate CVE-2025-11330

Immediate Actions Required

Restrict access to /admin/ paths to trusted source IPs via network ACLs or web server configuration until a patched build is available.
Audit admin user accounts and rotate credentials, since exploitation requires authenticated access.
Apply WAF signatures that block SQL meta-characters in the fromdate and todate parameters.
Review database accounts used by the application and remove unnecessary privileges such as FILE or write access to non-application schemas.

Patch Information

No vendor patch is referenced in the published advisory. Monitor the PHPGurukul site and the VulDB entry for updated releases. Until a fixed version is published, treat the application as vulnerable and apply compensating controls.

Workarounds

Modify sales-reports-detail.php to validate fromdate and todate against a strict YYYY-MM-DD regular expression before use.
Refactor the affected query to use prepared statements with bound parameters via mysqli or PDO.
Place the admin interface behind a VPN or IP allow-list to reduce exposure of the vulnerable endpoint.
Run the application database account with least-privilege permissions limited to the application schema.

bash

# Example Apache configuration restricting admin access to a trusted subnet
<Location "/admin/">
    Require ip 10.0.0.0/24
</Location>

# Example ModSecurity rule blocking SQL meta-characters in date parameters
SecRule ARGS:fromdate|ARGS:todate "@rx [^0-9\-]" \
    "id:1011330,phase:2,deny,status:400,msg:'CVE-2025-11330 SQLi attempt'"