CVE-2025-5374: PHPGurukul Birth Certificate SQLi Flaw

CVE-2025-5374 Overview

CVE-2025-5374 is a SQL injection vulnerability in PHPGurukul Online Birth Certificate System 2.0. The flaw resides in the /admin/all-applications.php script, where the del parameter is passed to a database query without proper sanitization. An authenticated attacker with low-privilege access can manipulate the parameter to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the risk of opportunistic attacks against exposed installations.

Critical Impact
Successful exploitation allows attackers to read, modify, or delete records in the application database, including citizen birth certificate data and administrative account credentials.

Affected Products

PHPGurukul Online Birth Certificate System 2.0
Component: /admin/all-applications.php
CPE: cpe:2.3:a:phpgurukul:online_birth_certificate_system:2.0

Discovery Timeline

2025-05-31 - CVE-2025-5374 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-5374

Vulnerability Analysis

The vulnerability is classified as SQL Injection under [CWE-89] and Improper Neutralization of Special Elements in Output Used by a Downstream Component under [CWE-74]. The defect exists in the administrative endpoint /admin/all-applications.php, which processes the del HTTP request parameter. The application concatenates this user-supplied value directly into a SQL statement without parameterized queries or input validation. As a result, an attacker can inject SQL syntax that the database engine executes alongside the original query. The attack requires only low-level authentication and can be initiated remotely over the network.

Root Cause

The root cause is the absence of prepared statements or input sanitization when handling the del parameter in the admin application listing handler. PHPGurukul Online Birth Certificate System 2.0 builds SQL queries through string concatenation, which is a well-known anti-pattern. Any character that holds meaning in SQL syntax, such as single quotes, comment markers, or UNION keywords, passes through unchanged into the query parser.

Attack Vector

An authenticated user with access to the admin panel sends a crafted HTTP request to /admin/all-applications.php with a malicious del parameter value. The injected payload can extract data via UNION SELECT queries, enumerate database schemas, or modify and delete records using stacked queries if the database driver supports them. Refer to the GitHub Issue Tracker and the VulDB advisory for proof-of-concept details.

Detection Methods for CVE-2025-5374

Indicators of Compromise

HTTP requests to /admin/all-applications.php containing SQL metacharacters such as single quotes, --, ;, or UNION within the del parameter.
Web server access logs showing unusually long del parameter values or repeated requests with varying payloads.
Database error messages returned in HTTP responses that reveal SQL syntax fragments.
Unexpected administrative user accounts or modified birth certificate records in the application database.

Detection Strategies

Deploy web application firewall (WAF) signatures that match SQL injection patterns targeting the del parameter on the admin endpoint.
Enable database query auditing to flag queries originating from all-applications.php that contain UNION, SLEEP, or INFORMATION_SCHEMA references.
Correlate authentication events with subsequent admin-panel activity to surface compromised low-privilege accounts.

Monitoring Recommendations

Forward Apache or Nginx access logs to a centralized log platform and alert on SQL injection regex matches against admin URIs.
Monitor outbound database traffic for spikes in row counts returned to the PHP application process.
Track failed admin login attempts followed by successful authentications from the same source IP.

How to Mitigate CVE-2025-5374

Immediate Actions Required

Restrict network access to the /admin/ directory using IP allowlists or VPN-only access until a vendor patch is available.
Rotate all administrator credentials and audit existing accounts for unauthorized additions.
Review the application database for evidence of tampering, particularly in user and application tables.
Deploy WAF rules blocking SQL metacharacters in the del parameter on /admin/all-applications.php.

Patch Information

As of the last NVD update, no official vendor patch has been published by PHPGurukul. Monitor the PHP Gurukul Portal for updated releases. Organizations operating this software should treat it as unmaintained for this issue and apply compensating controls.

Workarounds

Manually modify /admin/all-applications.php to cast the del parameter to an integer using intval($_GET['del']) before use in SQL.
Migrate the affected query to PHP Data Objects (PDO) prepared statements with bound parameters.
Place the application behind a reverse proxy that enforces strict input validation on query string parameters.
Consider decommissioning the application and migrating to an actively maintained alternative if patches remain unavailable.

bash

# Example WAF rule (ModSecurity) blocking SQL injection on the vulnerable parameter
SecRule REQUEST_URI "@contains /admin/all-applications.php" \
  "chain,deny,status:403,id:1005374,msg:'CVE-2025-5374 SQLi attempt'"
  SecRule ARGS:del "@rx (?i)(union|select|sleep|--|;|/\*)" "t:none,t:urlDecode"