User-Management-PHP-MYSQL
CVE-2025-12202
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in ajayrandhawa User-Management-PHP-MYSQL web up to fedcf58797bf2791591606f7b61fdad99ad8bff1. This vulnerability affects unknown code. Performing manipulation results in cross-site request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site request forgery (CSRF) in ajayrandhawa User-Management-PHP-MYSQL allows remote attackers to perform unauthorized actions via crafted requests, requiring user interaction (UI:P). Publicly available exploit code exists, but the extremely low EPSS score (0.04%, 11th percentile) and vendor non-responsiveness suggest limited real-world exploitation despite public POC availability. CVSS 2.1 reflects low integrity impact and user-interaction requirement.
Technical ContextAI
This is a classic cross-site request forgery vulnerability (CWE-352) in a PHP/MySQL-based user management application. CSRF occurs when an attacker crafts a malicious web request that, when executed by an authenticated user's browser, performs unwanted actions on the target application without the user's knowledge or consent. The vulnerability affects the application's request validation logic, which fails to implement or enforce anti-CSRF tokens (such as synchronizer tokens or SameSite cookie attributes). The affected product uses continuous delivery with rolling releases, making traditional version tracking impossible; the vulnerability exists up to commit fedcf58797bf2791591606f7b61fdad99ad8bff1. The application is built on PHP with MySQL backend, common in legacy or small-scale web applications.
RemediationAI
No vendor-released patch is available, as the vendor did not respond to disclosure. For organizations still using this software, implement the following compensating controls: (1) Deploy a web application firewall (WAF) with CSRF token validation rules to enforce anti-CSRF protection at the reverse-proxy layer - trade-off is additional infrastructure complexity but protects unauthenticated applications; (2) Configure SameSite cookie attributes (SameSite=Strict or SameSite=Lax) at the web server level to prevent cross-site cookie transmission - trade-off is potential compatibility issues with legitimate cross-site integrations; (3) Enforce Content-Security-Policy (CSP) headers with frame-ancestors 'none' and form-action 'self' to restrict where forms can be submitted - trade-off is difficulty debugging third-party integrations; (4) Strongly recommend migration to actively maintained user management solutions (e.g., Keycloak, Auth0, or modern PHP frameworks like Laravel/Symfony with built-in CSRF protection). Given vendor abandonment and low real-world exploitation risk (EPSS 0.04%), this is a lower-priority patch target compared to actively exploited vulnerabilities.
Share
External POC / Exploit Code
Leaving vuln.today