CVE-2025-25389

CVE-2025-25389, published on 2025-02-13, is a SQL injection vulnerability (CWE-89) affecting the /admin/forgot-password.php component in Phpgurukul Land Record System version 1.0. The flaw allows remote attackers to execute arbitrary code by injecting malicious payloads via the "contactno" POST request parameter. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability over the network by submitting a crafted POST request to the affected endpoint with a specially manipulated "contactno" parameter. Successful exploitation grants arbitrary code execution on the vulnerable server, enabling attackers to potentially read sensitive data, modify records, or disrupt system operations.

A technical writeup is available at https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/SQL%20Injection%20forget.pdf, which documents the vulnerability discovery and proof-of-concept details. No official vendor advisories or patches are referenced in the provided information.