SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the cid parameter to edit-course.php.
https://www.exploit-db.com/exploits/49513
https://phpgurukul.com/wp-content/uploads/2019/05/schoolmanagement.zip