PHPGurukul Cyber Cafe Management System CVE-2025-11390
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in PHPGurukul Cyber Cafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /search.php of the component POST Parameter Handler. Executing a manipulation of the argument searchdata can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Cyber Cafe Management System 1.0 allows remote attackers to inject malicious scripts via the searchdata POST parameter in /search.php, requiring user interaction to execute. The vulnerability has a low CVSS score (2.1) due to limited impact scope, but publicly available exploit code exists and the EPSS score (0.05%, 14th percentile) suggests minimal real-world exploitation likelihood despite public availability.
Technical ContextAI
The vulnerability exists in the POST parameter handler of /search.php, where user-supplied input from the searchdata parameter is not properly sanitized or encoded before being reflected or stored. This is a classic Reflected or Stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) common in PHP-based applications that lack input validation frameworks. The attack vector is HTTP-based over the network (AV:N), with low attack complexity (AC:L) and no privileges required (PR:N), but critically requires user interaction (UI:P) - typically clicking a malicious link or opening a crafted URL containing the XSS payload.
RemediationAI
Apply input validation and output encoding to the searchdata POST parameter in /search.php. Implement context-appropriate encoding (HTML entity encoding for HTML context, JavaScript escaping for JavaScript context) using PHP's htmlspecialchars() or htmlentities() functions with ENT_QUOTES flag, or preferably use a templating engine with automatic escaping. If available, upgrade to the latest version of PHPGurukul Cyber Cafe Management System from https://phpgurukul.com/. As an interim control, apply a Web Application Firewall (WAF) rule to block requests containing script-like payloads in the searchdata parameter. Content Security Policy (CSP) headers with script-src 'self' can mitigate impact by preventing inline script execution, though this is a defense-in-depth measure and not a primary fix. No vendor-released patch version is independently confirmed in available data.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today