CVE-2025-7927
BaseFortify
Publication date: 2025-07-21
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | online_banquet_booking_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7927 is a critical SQL Injection vulnerability in the PHPGurukul Online Banquet Booking System version 1.0. It exists in the file /admin/view-user-queries.php, specifically in the 'viewid' parameter. The vulnerability occurs because user input is not properly sanitized or parameterized before being used in SQL queries, allowing attackers to inject arbitrary SQL code. This can be exploited remotely without authentication by manipulating the 'viewid' argument in a GET request, potentially leading to unauthorized database access or manipulation. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, data tampering or deletion, full system compromise, and denial of service through database manipulation. Attackers can exploit the flaw remotely without authentication to execute arbitrary SQL commands, potentially leading to loss of confidentiality, integrity, and availability of the system's data and services. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'viewid' parameter in the /admin/view-user-queries.php file for SQL injection. A simple test is to send a crafted GET request with payloads such as 'viewid=3 or 1--' to observe if the SQL query logic is manipulated. Tools like sqlmap can be used to automate detection and enumeration of databases via this injection point. Additionally, Google dorking with the query 'inurl:admin/view-user-queries.php' can help identify vulnerable targets. Example command using curl: curl 'http://targetsite.com/admin/view-user-queries.php?viewid=3 or 1--' or using sqlmap: sqlmap -u 'http://targetsite.com/admin/view-user-queries.php?viewid=3' --risk=3 --level=5 [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement prepared statements with PDO or MySQLi to parameterize SQL queries and avoid direct insertion of user input. 2) Validate and sanitize all user inputs strictly against expected formats. 3) Limit database user privileges to avoid using high-privilege accounts such as root. 4) Deploy a Web Application Firewall (WAF) to detect and block SQL injection attempts. 5) Conduct regular security audits and code reviews to identify and fix vulnerabilities. If possible, replace the affected component with a secure alternative. [1]