CVE-2025-7757

Vulnerability

Overview CVE-2025-7757 is a critical SQL injection vulnerability discovered in PHPGurukul Land Record System version 1.0. The issue resides in the file /edit-property.php, where the editid parameter is directly concatenated into SQL queries without proper sanitization or parameterized queries [2]. This lack of validation allows an attacker to inject malicious SQL code through the editid GET parameter [2].

### Exploitation & Attack Surface The vulnerability can be exploited remotely without any authentication; the attacker does not need a valid session or login credentials [2]. An exploit payload has been publicly disclosed, demonstrating the use of a time-based blind SQL injection technique (e.g., sleep(5) ) via a crafted editid value [2]. This means an attacker can interact with the database simply by sending a malicious HTTP GET request to the vulnerable endpoint.

Impact

Successful exploitation grants the attacker the ability to read, modify, or delete arbitrary data within the database. This could lead to unauthorized access to sensitive land record information, data tampering, and potential full system compromise if the database user has elevated privileges [2]. The confidentiality, integrity, and availability of the system are at high risk.

Mitigation

As of the advisory date, no official patch has been released by PHPGurukul for the Land Record System version 1.0 [1, 2]. The vendor's website primarily offers general PHP and PDO tutorials [1], but no specific security update is available for this product. Administrators should apply input validation by using prepared statements or parameterized queries, and consider implementing a web application firewall (WAF) to block malicious payloads. The CVE-2025-7757 vulnerability is listed with a CVSS v3 score of 7.3 (High).