Platform
php
Fixed in
1.0.1
A SQL Injection vulnerability has been discovered in 1000projects Beauty Parlour Management System version 1.0. This flaw allows attackers to manipulate SQL queries through the 'fromdate' and 'todate' parameters within the /admin/bwdates-reports-details.php file. Successful exploitation could lead to unauthorized data access and modification, impacting the confidentiality and integrity of the system. The vulnerability is fixed in version 1.0.1.
The SQL Injection vulnerability in Beauty Parlour Management System poses a significant risk to data security. An attacker could leverage this flaw to bypass authentication mechanisms, potentially gaining administrative access to the system. They could then extract sensitive customer data, including personal information, appointment details, and financial records. Furthermore, the attacker might be able to modify or delete data, disrupting business operations and potentially leading to regulatory compliance issues. The publicly available exploit increases the likelihood of exploitation.
This vulnerability is considered high risk due to its HIGH CVSS score and the availability of a public proof-of-concept. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-09-03, increasing the window of opportunity for exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9919 is to immediately upgrade Beauty Parlour Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out malicious SQL injection attempts targeting the /admin/bwdates-reports-details.php endpoint. Input validation and sanitization on the 'fromdate' and 'todate' parameters can also provide a temporary layer of defense. Monitor application logs for suspicious SQL queries and unusual database activity.
Update to a patched version of the software. If a patched version is not available, it is recommended to contact the vendor for a solution or apply security measures such as validating and sanitizing the 'fromdate' and 'todate' inputs to prevent (SQL Injection). A web application firewall (WAF) can also be implemented to detect and block exploitation attempts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9919 is a SQL Injection vulnerability affecting Beauty Parlour Management System version 1.0, allowing attackers to manipulate SQL queries and potentially access sensitive data.
If you are using Beauty Parlour Management System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to Beauty Parlour Management System version 1.0.1 or later. Consider WAF rules as a temporary workaround.
While no active campaigns are confirmed, the public availability of a proof-of-concept increases the likelihood of exploitation.
Refer to the 1000projects website or relevant security mailing lists for the official advisory regarding CVE-2025-9919.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.