CVE-2025-6320 Overview
CVE-2025-6320 is a SQL injection vulnerability in PHPGurukul Pre-School Enrollment System 1.0. The flaw exists in the /admin/add-class.php script, where the classname parameter is passed directly into a SQL query without proper sanitization. Authenticated attackers can manipulate this parameter to inject arbitrary SQL statements. The issue is tracked under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and has been publicly disclosed. The vulnerability is remotely exploitable over the network and affects the confidentiality, integrity, and availability of the underlying database.
Critical Impact
An authenticated attacker can inject SQL through the classname parameter to read, modify, or destroy data stored in the pre-school enrollment database.
Affected Products
- PHPGurukul Pre-School Enrollment System 1.0
- CPE: cpe:2.3:a:phpgurukul:pre-school_enrollment_system:1.0:*:*:*:*:*:*:*
- Vulnerable script: /admin/add-class.php
Discovery Timeline
- 2025-06-20 - CVE-2025-6320 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-6320
Vulnerability Analysis
The vulnerability resides in the administrative class management workflow of PHPGurukul Pre-School Enrollment System 1.0. When an administrator submits the add-class form, the classname POST parameter is concatenated into a SQL INSERT statement without parameterized queries or input filtering. An attacker who possesses low-privilege administrative credentials can append SQL syntax to the classname value and alter the original query. The EPSS score for this issue is 0.318% (23.3 percentile), indicating limited observed exploitation interest at this time. However, public disclosure on GitHub and VulDB entry 313320 lowers the bar for opportunistic abuse.
Root Cause
The root cause is improper neutralization of user-supplied input passed to a SQL interpreter. The add-class.php script does not use prepared statements or call escaping functions such as mysqli_real_escape_string() on the classname value. Any string containing SQL metacharacters such as single quotes, comments, or UNION keywords becomes part of the executed query.
Attack Vector
Exploitation requires authenticated access to the administrative panel, which lowers the privilege barrier but does not require user interaction. An attacker submits a crafted classname value through the add-class form using a standard HTTP POST request. The injected payload can extract database contents via UNION SELECT queries, enumerate schema metadata from information_schema, modify records, or drop tables. Because the attack is fully remote and uses normal HTTP traffic, it blends with legitimate administrative activity. Refer to the public proof-of-concept discussion for payload structure.
Detection Methods for CVE-2025-6320
Indicators of Compromise
- HTTP POST requests to /admin/add-class.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the classname parameter.
- Web server logs showing abnormally long classname values or repeated submissions from a single source IP.
- Database error messages or unexpected response timing tied to add-class submissions.
- New or modified rows in class-related tables that do not correspond to legitimate administrator activity.
Detection Strategies
- Deploy web application firewall (WAF) signatures that flag SQL injection payloads on add-class.php form fields.
- Enable database query logging and alert on syntactically anomalous INSERT statements targeting class tables.
- Correlate administrator authentication events with subsequent form submissions to identify suspicious sessions.
Monitoring Recommendations
- Forward web and database logs to a centralized analytics platform for query pattern analysis.
- Establish baselines for typical classname parameter length and character set, then alert on deviations.
- Monitor outbound database traffic for unexpected data egress following administrative form submissions.
How to Mitigate CVE-2025-6320
Immediate Actions Required
- Restrict network access to /admin/ paths using IP allowlists or VPN-only access until a fix is applied.
- Rotate administrative credentials and review account access logs for unauthorized logins.
- Audit the tblclass and related database tables for unauthorized inserts, updates, or deletions.
- Apply WAF rules that block SQL injection payloads targeting add-class.php.
Patch Information
No official vendor patch has been published for PHPGurukul Pre-School Enrollment System 1.0 at the time of this writing. Administrators should consult PHPGurukul for updates and consider applying source-level fixes that replace string concatenation with parameterized queries using mysqli prepared statements or PDO bindings.
Workarounds
- Modify /admin/add-class.php to use prepared statements with bound parameters for the classname field.
- Apply server-side input validation that restricts classname to an allowlist of alphanumeric characters and spaces.
- Disable or remove the add-class functionality if not required in production environments.
- Place the application behind a reverse proxy with SQL injection filtering enabled.
# Example WAF rule (ModSecurity) blocking SQLi patterns on add-class.php
SecRule REQUEST_URI "@streq /admin/add-class.php" \
"phase:2,chain,deny,status:403,id:1006320,msg:'CVE-2025-6320 SQLi attempt'"
SecRule ARGS:classname "@rx (?i)(union\s+select|--|';|sleep\(|information_schema)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

