Skip to main content
CVE Vulnerability Database

CVE-2025-6861: Best Salon Management System SQLi Flaw

CVE-2025-6861 is a critical SQL injection vulnerability in Best Salon Management System 1.0 affecting /panel/add_plan.php. Attackers can exploit this remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-6861 Overview

CVE-2025-6861 is a SQL injection vulnerability in SourceCodester Best Salon Management System 1.0, developed by Mayurik. The flaw resides in the /panel/add_plan.php script, where the plan_name, description, duration_days, and price parameters are passed directly to a database query without proper sanitization. Authenticated remote attackers can manipulate these parameters to inject arbitrary SQL statements. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic abuse against exposed installations. The vulnerability is tracked under [CWE-89] SQL Injection and [CWE-74] Improper Neutralization of Special Elements in Output.

Critical Impact

Remote authenticated attackers can manipulate SQL queries through the add_plan.php endpoint to read, modify, or delete database records in the salon management system.

Affected Products

  • Mayurik Best Salon Management System 1.0
  • SourceCodester distribution of Best Salon Management System
  • cpe:2.3:a:mayurik:best_salon_management_system:1.0

Discovery Timeline

  • 2025-06-29 - CVE-2025-6861 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-6861

Vulnerability Analysis

The vulnerability resides in /panel/add_plan.php, a script used to create new service plans within the salon management application. The handler accepts user-supplied values for plan_name, description, duration_days, and price and concatenates them into a SQL statement without parameterization or input validation. Any authenticated user with access to the panel can craft input that breaks out of the intended string context and appends arbitrary SQL clauses. The EPSS probability for this issue is 0.361% at the 27.77 percentile, reflecting limited but non-zero observed interest. Public disclosure through VulDB entries 314333 and 603375 and a GitHub SQL Injection Report has lowered the barrier to exploitation.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The add_plan.php script builds queries through direct string concatenation of POST parameters rather than using prepared statements or parameter binding. No server-side type enforcement is applied to numeric fields such as duration_days and price, allowing string payloads to flow into integer contexts.

Attack Vector

An attacker must first hold panel credentials, then submit a crafted POST request to /panel/add_plan.php containing SQL metacharacters in any of the four affected parameters. By injecting UNION SELECT clauses or stacked queries, the attacker can extract password hashes, customer records, or alter business data. The attack is performed remotely over the network and does not require user interaction beyond the initial authenticated session.

No verified exploit code is published in a curated PoC database; technical details are available through the referenced VulDB and GitHub write-ups.

Detection Methods for CVE-2025-6861

Indicators of Compromise

  • POST requests to /panel/add_plan.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the plan_name, description, duration_days, or price fields.
  • Web server access logs showing abnormally large request bodies or repeated submissions to the plan creation endpoint from a single session.
  • Unexpected new rows, modified pricing, or data exfiltration evidence in the plans table or related tables.
  • MySQL error log entries referencing syntax errors originating from add_plan.php.

Detection Strategies

  • Deploy web application firewall (WAF) rules that flag SQL keywords in parameters submitted to the salon management panel endpoints.
  • Inspect application and database logs for query patterns that combine plan creation operations with INFORMATION_SCHEMA or UNION references.
  • Correlate authenticated panel sessions with anomalous query volumes against the backend database.

Monitoring Recommendations

  • Enable MySQL general query logging on hosts running the salon management system to capture injection attempts.
  • Forward web server access logs to a centralized log platform and alert on suspicious POST bodies targeting /panel/add_plan.php.
  • Track failed authentication and rapid plan creation attempts to identify credentialed attackers probing the endpoint.

How to Mitigate CVE-2025-6861

Immediate Actions Required

  • Restrict network access to the /panel/ directory using IP allowlists or VPN-only access until a vendor fix is available.
  • Audit user accounts with panel access and remove or rotate credentials for unused accounts.
  • Review the plans table and related records for unauthorized modifications since the application was deployed.
  • Place the application behind a WAF configured with SQL injection signatures.

Patch Information

No official vendor patch is listed in the NVD references for CVE-2025-6861. Administrators should monitor the SourceCodester Security Resources page and the VulDB advisory for updates. Until a vendor release is published, source-level remediation requires replacing the vulnerable query construction in add_plan.php with prepared statements using PDO or mysqli parameter binding.

Workarounds

  • Modify add_plan.php locally to use parameterized queries and enforce server-side type casting for duration_days and price.
  • Apply input validation that rejects non-alphanumeric content in plan_name and limits description to expected character sets.
  • Disable the plan creation feature for non-administrative roles until source remediation is verified.
  • Take the application offline if it is internet-exposed and not actively required for operations.
bash
# Example hardening: refactor vulnerable query to use prepared statements (PHP/mysqli)
$stmt = $conn->prepare("INSERT INTO plans (plan_name, description, duration_days, price) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssid", $plan_name, $description, $duration_days, $price);
$stmt->execute();

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.