CVE-2025-12610 – CodeAstro Gym Management System 1.0 contains a ... (How to Fix)

Q: What is the severity of CVE-2025-12610?

CVE-2025-12610 has a CVSS score of 4.7 (MEDIUM). CodeAstro Gym Management System 1.0 contains a SQL injection vulnerability in the /admin/view-progress-report.php file through manipulation of the ID parameter. This allows attackers to execute arbitrary SQL commands on the database. Organizations using this specific version of the gym management software are affected.

📋 TL;DR

CodeAstro Gym Management System 1.0 contains a SQL injection vulnerability in the /admin/view-progress-report.php file through manipulation of the ID parameter. This allows attackers to execute arbitrary SQL commands on the database. Organizations using this specific version of the gym management software are affected.

💻 Affected Systems

Products:

CodeAstro Gym Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable /admin/view-progress-report.php file accessible.

📦 What is this software?

Gym Management System by Codeastro

View all CVEs affecting Gym Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive member data (personal information, payment details, health metrics), system disruption, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin access to reach the vulnerable endpoint. Public disclosure increases weaponization likelihood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://codeastro.com/

Restart Required: No

Instructions:

No official patch available. Implement workarounds or consider alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize the ID parameter before processing.

Modify /admin/view-progress-report.php to validate ID parameter as integer using is_numeric() or filter_var()

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Add WAF rule: Block requests to /admin/view-progress-report.php with suspicious SQL patterns in ID parameter

🧯 If You Can't Patch

Restrict access to /admin/view-progress-report.php using IP whitelisting or authentication requirements
Implement database user with minimal permissions (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the /admin/view-progress-report.php endpoint with SQL injection payloads in the ID parameter (e.g., ID=1' OR '1'='1).

Check Version:

Check software version in admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages or are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by access to /admin/view-progress-report.php
Requests with SQL keywords in ID parameter

Network Indicators:

HTTP requests to /admin/view-progress-report.php containing SQL injection patterns

SIEM Query:

source="web_logs" AND uri="/admin/view-progress-report.php" AND (param="ID" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|exec|--|#|;)")

📊 Metadata

CVE ID: CVE-2025-12610

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: November 3, 2025

Last Updated: February 24, 2026

🔗 References

https://codeastro.com/ Product
https://github.com/danz0424/loudong/issues/1 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.330905 Permissions Required,VDB Entry
https://vuldb.com/?id.330905 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.678450 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.683064

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12610, you might also want to check these: