Online Course Registration
CVE-2025-50485
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
AC:H because the attacker must first obtain a valid session token; UI:R for the victim's password change; C:L/I:L as impact is limited to a single hijacked CRM account.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /crm/change-password.php of PHPGurukul Online Course Registration v3.1 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Online Course Registration v3.1 stems from the /crm/change-password.php component failing to invalidate existing sessions after a password change, letting an attacker who has captured or replayed a victim's session identifier retain authenticated access even after the credential is rotated. Publicly available exploit code exists (GitHub), but the flaw is not listed in CISA KEV and carries a low EPSS score of 0.40% (32nd percentile), indicating limited observed exploitation. The issue chiefly threatens confidentiality of the affected user's CRM account.
Technical ContextAI
PHPGurukul Online Course Registration is a small PHP/MySQL web application distributed as free source code for academic and learning-management use. The root cause is CWE-613 (Insufficient Session Expiration): the password-change routine in /crm/change-password.php updates the stored credential but does not destroy or regenerate the server-side session, so a session token that was valid before the change remains valid afterward. Because PHP session handling here does not tie session lifetime to credential state, a token obtained through sniffing, fixation, or reuse continues to authenticate the holder. The single affected build is identified by cpe:2.3:a:phpgurukul:online_course_registration:3.1.
RemediationAI
No vendor-released patch identified at time of analysis; the references contain only a proof-of-concept (https://github.com/VasilVK/CVE/tree/main/CVE-2025-50485) and no fixed release for PHPGurukul Online Course Registration. As a code-level compensating control, modify /crm/change-password.php to call session_regenerate_id(true) and destroy all other active sessions for the account immediately after a successful password update, forcing re-authentication. Operators should additionally enforce HTTPS site-wide with the Secure and HttpOnly cookie flags to reduce token capture (trade-off: requires TLS configuration), set short session.gc_maxlifetime and cookie lifetimes to shrink the reuse window (trade-off: more frequent logins), and restrict access to the /crm/ interface to trusted networks or VPN where feasible. Monitor for the same session ID used from multiple IPs as a detection stopgap until an upstream fix is confirmed.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value
The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc
The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr
PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today