PHPGurukul Small CRM CVE-2025-15390
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Missing authorization in PHPGurukul Small CRM 4.0's /admin/edit-user.php endpoint allows authenticated users to perform unauthorized administrative actions via remote network access. The vulnerability enables privilege escalation or lateral movement by bypassing access controls on user management functions. While publicly available exploit code exists and CVSS indicates network accessibility, the low EPSS score (0.02%, 4th percentile) and requirement for prior authentication suggest limited real-world exploitation despite proof-of-concept availability.
Technical ContextAI
The vulnerability exists in the /admin/edit-user.php file, a PHP-based administrative interface within the Small CRM application. CWE-862 (Missing Authorization) indicates the application fails to implement proper access control checks, likely missing role-based or permission-based authorization logic that should restrict edit-user functionality to administrators only. The attack leverages the web application's HTTP interface (AV:N per CVSS vector) to reach the vulnerable endpoint, though exploitation requires valid application credentials (PR:L), suggesting the vulnerability is an authorization bypass rather than authentication bypass.
RemediationAI
Implement proper authorization checks in /admin/edit-user.php to verify the authenticated user has administrative privileges before processing edit-user requests. Update PHPGurukul Small CRM to a patched version once released by the vendor; check phpgurukul.com for security advisories and download instructions. As an interim compensating control, restrict network access to the /admin/ directory to trusted IP addresses via web server configuration (nginx/Apache .htaccess or firewall rules), limiting access to internal networks only. Additionally, audit user roles and permissions within the CRM to identify any unauthorized administrative accounts that may have been created through this vulnerability during the time it was present in production. Monitor application logs for suspicious edit-user requests originating from non-administrative accounts. Note that these compensating controls do not address the underlying authorization flaw and should be considered temporary until a proper vendor patch is deployed.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today