CVE-2025-6875 Overview
CVE-2025-6875 is a SQL injection vulnerability in SourceCodester Best Salon Management System 1.0, developed by Mayurik. The flaw resides in the /panel/edit-subscription.php script, where the editid parameter is passed directly into a SQL query without sanitization. An authenticated attacker can manipulate this parameter to inject arbitrary SQL statements against the application database. The vulnerability is exploitable remotely over the network and a public disclosure exists. The weakness is tracked as [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Remote attackers with low-privileged access can read, modify, or delete salon management database records by injecting SQL into the editid parameter of /panel/edit-subscription.php.
Affected Products
- Mayurik Best Salon Management System 1.0
- SourceCodester distribution of Best Salon Management System
- CPE: cpe:2.3:a:mayurik:best_salon_management_system:1.0:*:*:*:*:*:*:*
Discovery Timeline
- 2025-06-29 - CVE-2025-6875 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6875
Vulnerability Analysis
The vulnerability is a classic SQL injection in the subscription edit workflow of the admin panel. The edit-subscription.php endpoint accepts an editid HTTP parameter and concatenates the value into a SQL query that retrieves or updates subscription records. Because the parameter is not validated, escaped, or bound through a parameterized query, attacker-supplied SQL syntax is interpreted by the backend database. The disclosure indicates the attack can be launched remotely and exploit details have been made public, increasing the likelihood of opportunistic abuse. EPSS scoring places the probability of near-term exploitation at 0.361%.
Root Cause
The root cause is improper neutralization of special elements ([CWE-74]) in the editid request parameter. The PHP code constructs a SQL statement through string concatenation rather than using prepared statements with bound parameters. Any single quote, comment marker, or UNION clause in editid is forwarded to the database engine as executable SQL.
Attack Vector
An attacker who can reach the salon management panel and possesses low-privileged credentials sends a crafted HTTP request to /panel/edit-subscription.php with a malicious editid value. Typical payloads use UNION SELECT statements to exfiltrate user credentials, boolean-based blind techniques to enumerate schema contents, or stacked queries to alter subscription records. No user interaction is required beyond submission of the request. Further technical detail is documented in the GitHub SQL Injection Guide and the VulDB entry for incident 314347.
Detection Methods for CVE-2025-6875
Indicators of Compromise
- HTTP requests to /panel/edit-subscription.php containing SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA in the editid parameter.
- Unexpected database errors, 500 responses, or anomalous response timing originating from edit-subscription.php.
- New or modified rows in the subscription table that were not initiated by legitimate administrators.
- Web server access logs showing repeated editid requests from a single source IP within a short window.
Detection Strategies
- Deploy WAF or reverse-proxy rules that inspect the editid query parameter for SQL keywords and reject non-numeric values.
- Enable database query logging and alert on queries against the subscription table containing tautologies (e.g., OR 1=1) or UNION operators.
- Correlate web access logs with database audit logs to identify request-to-query patterns that diverge from baseline application behavior.
Monitoring Recommendations
- Forward Apache or Nginx access logs and MySQL general or audit logs to a central SIEM for correlation.
- Baseline the normal length and character set of the editid parameter and alert on outliers.
- Monitor administrative account activity for sessions that issue large numbers of subscription edit requests in rapid succession.
How to Mitigate CVE-2025-6875
Immediate Actions Required
- Restrict network access to /panel/ to trusted administrative IP ranges using firewall or web server access control lists.
- Rotate credentials for all administrative and database accounts associated with the salon management deployment.
- Review subscription, user, and audit tables for unauthorized modifications since the application was first exposed.
- Place the application behind a web application firewall configured with SQL injection signatures.
Patch Information
No official vendor patch has been published for Mayurik Best Salon Management System 1.0 at the time of NVD publication. Operators should monitor SourceCodester and the VulDB advisory for fix availability. Until an official patch is released, source-level remediation requires replacing concatenated SQL in edit-subscription.php with PDO or mysqli prepared statements and casting editid to an integer before use.
Workarounds
- Edit panel/edit-subscription.php to validate that editid is a positive integer with ctype_digit() or (int) casting before any database call.
- Replace inline SQL with parameterized queries using mysqli_prepare() and bind_param('i', $editid).
- Apply a temporary WAF rule blocking requests where the editid parameter contains non-numeric characters.
- Disable the subscription edit feature entirely if it is not in active use until source-level remediation is applied.
# Example ModSecurity rule blocking non-numeric editid values
SecRule ARGS:editid "!@rx ^[0-9]+$" \
"id:1006875,phase:2,deny,status:400,\
msg:'CVE-2025-6875 SQLi attempt on edit-subscription.php',\
tag:'application-multi',tag:'attack-sqli'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

