CVE-2025-25357

CVE-2025-25357 is a SQL injection vulnerability (CWE-89) affecting the /admin/contactus.php component in PHPGurukul Land Record System version 1.0. Published on 2025-02-13, it enables remote attackers to execute arbitrary code by injecting malicious payloads via the email POST request parameter. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Exploitation requires high privileges (PR:H), such as administrative access, and can be performed remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Attackers with the necessary permissions can inject SQL payloads into the email parameter, leading to arbitrary code execution and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

References include writeups hosted on GitHub at https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/SQL%20Injection%20Emails.pdf, which detail the SQL injection vulnerability in the email parameter but do not specify mitigation steps or patches.