A critical SQL Injection vulnerability, identified as CVE-2024-44659, has been discovered in the PHPGurukul Online Shopping Portal. This flaw allows an unauthenticated attacker to inject malicious database commands through the password reset feature, potentially leading to a complete compromise of the application's database, including sensitive customer data and credentials.

The vulnerability exists within the forgot-password.php script. The email parameter, used to identify a user for a password reset, does not properly sanitize user-supplied input before using it in a database query. An unauthenticated remote attacker can exploit this by crafting a malicious email value that contains SQL commands, which are then executed by the backend database. This allows the attacker to bypass authentication, read, modify, or delete sensitive data from the database, and in some configurations, execute commands on the underlying operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a devastating impact on the business, leading to a severe data breach. An attacker could exfiltrate the entire customer database, including personally identifiable information (PII), user credentials (usernames and passwords), and order histories. This would result in significant reputational damage, loss of customer trust, financial losses from fraud, and potential regulatory fines for non-compliance with data protection regulations.

Immediate Action: Immediately apply the security patches provided by the vendor. Update all instances of PHPGurukul Online Shopping Portal to the latest secure version to mitigate this vulnerability. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and review historical access logs for evidence of a prior compromise.

Proactive Monitoring: Implement enhanced monitoring of web server and database logs. Specifically, look for unusual requests to forgot-password.php containing SQL syntax (e.g., ', --, UNION SELECT, SLEEP()). Utilize a Web Application Firewall (WAF) with rulesets designed to detect and block SQL Injection attack patterns in real-time.

Compensating Controls: If immediate patching is not feasible, deploy a WAF as a temporary mitigating control to block malicious requests targeting this vulnerability. Additionally, ensure the web application's database user account operates with the principle of least privilege, restricting its permissions to only what is absolutely necessary for application functionality, thereby limiting the potential impact of a successful exploit.

Public Exploit Available: true

Due to the critical severity (CVSS 9.8) and the high likelihood of exploitation, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that the remediation plan be executed as a top priority. All affected PHPGurukul Online Shopping Portal instances must be patched immediately. While this CVE is not currently on the CISA KEV list, its critical nature warrants the same level of urgency as a known exploited vulnerability.