A critical SQL Injection vulnerability, identified as CVE-2025-63453, has been discovered in Car-Booking-System-PHP version 1.0. This flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying database, potentially leading to a complete compromise of the system, data theft of sensitive customer information, and operational disruption. Organizations using the affected software are at high risk and should take immediate action to mitigate this threat.

The vulnerability is a classic SQL Injection flaw located in the /carlux/contact.php file of the application. An attacker can exploit this by sending specially crafted SQL queries through user-supplied input fields on the contact page. Because the application fails to properly sanitize this input, the malicious queries are executed directly by the database, allowing the attacker to bypass security mechanisms and interact with the database without authorization. This could enable an attacker to read, modify, or delete sensitive data, escalate privileges, and potentially gain command execution on the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the business. Successful exploitation could lead to a severe data breach, exposing sensitive customer personally identifiable information (PII), booking details, and potentially payment information. The consequences include major financial loss, severe reputational damage, loss of customer trust, and potential legal and regulatory penalties. Furthermore, an attacker could manipulate or delete data, causing significant disruption to business operations that rely on the car booking system.

Immediate Action: The primary remediation is to update all instances of the affected software to the latest version as recommended by the vendor. Prioritize patching for all internet-facing systems. In parallel, security teams should immediately begin monitoring for signs of exploitation by reviewing web server and database access logs for suspicious activity targeting the /carlux/contact.php endpoint.

Proactive Monitoring: Implement enhanced monitoring focused on the vulnerable component. Security teams should look for the following indicators in web server logs:

• HTTP requests to /carlux/contact.php containing SQL keywords such as SELECT, UNION, DROP, --, or other database-specific commands.
• Unusual or malformed data submitted through the contact form parameters.
• Anomalous activity or error messages in database logs originating from the web application's user account.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attacks.
• Apply strict input validation and sanitization at the web server level to filter malicious characters before they reach the application.
• Review the database user permissions for the application and enforce the principle of least privilege, ensuring the account cannot perform administrative actions or access non-essential data.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend immediate and decisive action. Organizations must prioritize the identification of all systems running the vulnerable Car-Booking-System-PHP software and apply the necessary updates without delay. Although this CVE is not currently listed on the CISA KEV list, its high impact score makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the implementation of a WAF and other compensating controls should be treated as an urgent priority to mitigate the risk of a potentially devastating system compromise and data breach.