CVE-2025-65379 – PHPGurukul Billing System 1.0 contains a SQL in... (How to Fix)

📋 TL;DR

PHPGurukul Billing System 1.0 contains a SQL injection vulnerability in the password recovery functionality. Attackers can inject malicious SQL queries through the username and mobileno parameters, potentially accessing or manipulating database contents. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

PHPGurukul Billing System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation. Requires web server with PHP and MySQL/MariaDB.

📦 What is this software?

Billing System by Phpgurukul

View all CVEs affecting Billing System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including credential theft, data exfiltration, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to user data, administrative credentials theft, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection is well-understood with many automated tools available. The vulnerability is in a public-facing endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/billing-system-using-php-and-mysql/

Restart Required: No

Instructions:

1. Download latest version from vendor website if available
2. Replace vulnerable files with patched versions
3. Test functionality before deploying to production

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation for username and mobileno parameters

Edit /admin/password-recovery.php to validate inputs before SQL query

Parameterized Query Implementation

all

Replace concatenated SQL with prepared statements

Modify SQL queries to use mysqli_prepare() and mysqli_stmt_bind_param()

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns targeting /admin/password-recovery.php
Restrict access to /admin/ directory via IP whitelisting or authentication

🔍 How to Verify

Check if Vulnerable:

Test /admin/password-recovery.php endpoint with SQL injection payloads in username or mobileno parameters

Check Version:

Check version in system documentation or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return expected error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed password recovery attempts with SQL syntax in parameters

Network Indicators:

HTTP requests to /admin/password-recovery.php containing SQL keywords like UNION, SELECT, OR 1=1

SIEM Query:

source="web_server" AND uri="/admin/password-recovery.php" AND (request_parameters CONTAINS "UNION" OR request_parameters CONTAINS "SELECT" OR request_parameters CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2025-65379

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: December 2, 2025

Last Updated: December 4, 2025

🔗 References

https://github.com/dewcode91/security-research/blob/main/CVE-2025-65379.md Third Party Advisory
https://phpgurukul.com/billing-system-using-php-and-mysql/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65379, you might also want to check these: