CVE-2025-2088
Published: 07 March 2025
Summary
CVE-2025-2088 is a high-severity Injection (CWE-74) vulnerability in Phpgurukul Pre-School Enrollment System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively prevents SQL injection by validating and sanitizing untrusted inputs such as fullname, emailid, and mobileNumber before use in database queries.
Mitigates the CVE by systematically identifying, prioritizing, and remediating the specific SQL injection flaw in the /admin/profile.php function.
Detects the SQL injection vulnerability through automated scanning of the web application for known issues like CWE-89.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in a publicly accessible web application (PHPGurukul Pre-School Enrollment System) directly enables remote unauthenticated exploitation over the network, mapping to Exploit Public-Facing Application.
NVD Description
A vulnerability, which was classified as critical, was found in PHPGurukul Pre-School Enrollment System up to 1.0. Affected is an unknown function of the file /admin/profile.php. The manipulation of the argument fullname/emailid/mobileNumber leads to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2088 is a critical SQL injection vulnerability in the PHPGurukul Pre-School Enrollment System up to version 1.0. The issue affects an unknown function within the /admin/profile.php file, where the fullname, emailid, and mobileNumber parameters can be manipulated to inject malicious SQL code. Recent publications classify it under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication or user interaction, allowing unauthenticated attackers to access it over the network with low complexity. Successful exploitation can result in limited confidentiality impacts such as reading sensitive data, limited integrity impacts like modifying database entries, and limited availability impacts potentially causing low-level denial of service.
Advisories and additional details are available in references including a GitHub issue at https://github.com/SECWG/cve/issues/2, the vendor site at https://phpgurukul.com/, and VulDB entries at https://vuldb.com/?ctiid.298902, https://vuldb.com/?id.298902, and https://vuldb.com/?submit.514974. The exploit has been publicly disclosed and may be actively used by attackers.
Published on 2025-03-07, this vulnerability highlights ongoing risks in web applications handling enrollment data, with no reported patches specified in available details.
Details
- CWE(s)