CVE-2025-6914 Overview
CVE-2025-6914 is a SQL injection vulnerability in PHPGurukul Student Record System version 3.2. The flaw resides in the /edit-student.php script, where the fmarks2 parameter is passed to a database query without proper sanitization. Authenticated remote attackers can manipulate this parameter to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed deployments. The vulnerability is tracked under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component.
Critical Impact
Authenticated attackers can inject SQL through the fmarks2 parameter in /edit-student.php, enabling unauthorized read or modification of student records stored in the backend database.
Affected Products
- PHPGurukul Student Record System 3.2
- Deployments referencing the vulnerable /edit-student.php endpoint
- Web applications built on the PHPGurukul Student Record System codebase
Discovery Timeline
- 2025-06-30 - CVE-2025-6914 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-6914
Vulnerability Analysis
The vulnerability exists in the edit-student.php script of PHPGurukul Student Record System 3.2. The fmarks2 request parameter, which represents a student's marks field, is concatenated directly into a SQL UPDATE statement. Because the application does not use parameterized queries or input filtering, an attacker can break out of the original query context and append arbitrary SQL clauses.
Successful exploitation allows extraction of database contents, modification of student grades, or tampering with administrative records. The attack is reachable over the network and requires low-privilege authenticated access to the affected page. The EPSS score is 0.197% with a percentile rank of 41.61, indicating limited but non-trivial likelihood of exploitation activity.
Root Cause
The root cause is improper neutralization of user-controlled input in a SQL statement [CWE-74]. The fmarks2 POST parameter is interpolated into a query string without using prepared statements, escaping, or strict type validation. Any character that has special meaning in SQL syntax is interpreted by the database engine.
Attack Vector
The attacker sends a crafted HTTP POST request to /edit-student.php with a malicious payload in the fmarks2 field. Payloads using UNION SELECT, boolean-based blind techniques, or time-based delays can be used to enumerate database structure and exfiltrate data. The attack requires only network access and a valid session, with no user interaction beyond the attacker's own request.
For technical proof-of-concept details, refer to the GitHub Issue Discussion and the VulDB CTI ID #314407 advisory.
Detection Methods for CVE-2025-6914
Indicators of Compromise
- HTTP POST requests to /edit-student.php containing SQL meta-characters such as ', --, UNION, or SLEEP( in the fmarks2 parameter
- Web server access logs showing repeated requests to edit-student.php from a single source within a short time window
- Unexpected modifications to student marks or grade tables without corresponding administrator activity
- Database error messages referencing the fmarks2 field or syntax errors near the marks column
Detection Strategies
- Deploy a web application firewall rule that inspects the fmarks2 parameter for SQL syntax tokens and known injection patterns
- Enable database query auditing to flag UPDATE statements containing unexpected subqueries, UNION clauses, or sleep functions
- Correlate authenticated session activity with anomalous query response times that indicate time-based blind injection
Monitoring Recommendations
- Forward web server, PHP error, and MySQL audit logs to a centralized analytics platform for correlation
- Alert on authenticated users issuing more than a configured threshold of POST requests to /edit-student.php per minute
- Monitor for new outbound connections from the database host, which may indicate post-exploitation data exfiltration
How to Mitigate CVE-2025-6914
Immediate Actions Required
- Restrict access to /edit-student.php to trusted internal networks or VPN users until a patched build is available
- Revoke and rotate database credentials used by the PHPGurukul application if injection attempts are observed
- Apply WAF signatures that block SQL injection payloads targeting the fmarks2 parameter
Patch Information
As of the last NVD update on 2026-04-29, no vendor patch has been published for PHPGurukul Student Record System 3.2. Administrators should track the PHPGurukul vendor site and the VulDB advisory for fix availability.
Workarounds
- Modify edit-student.php to use PDO or mysqli prepared statements with bound parameters for the fmarks2 value
- Enforce server-side numeric validation on the fmarks2 field, rejecting any value that is not an integer or decimal
- Apply database least-privilege so the application account cannot execute DDL or read tables outside its required scope
- Disable or remove the Student Record System if it is not actively used in the environment
# Example ModSecurity rule to block SQL meta-characters in fmarks2
SecRule ARGS:fmarks2 "@rx (?i)(union|select|sleep|benchmark|--|;|/\*)" \
"id:1006914,phase:2,deny,status:403,\
msg:'CVE-2025-6914 SQLi attempt in fmarks2 parameter',\
logdata:'Matched payload: %{MATCHED_VAR}'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
