Online Library Management System
CVE-2025-50488
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Network-reachable with no app privileges (PR:N) but requires obtaining a session token and victim interaction, raising complexity to AC:H; account access yields high confidentiality, low integrity, no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Online Library Management System v3.0 stems from improper session invalidation in /library/change-password.php, where sessions are not properly terminated after credential changes, allowing an attacker who obtains or reuses a still-valid session token to impersonate a victim. Publicly available exploit code exists (GitHub, VasilVK), though there is no public exploit identified as actively exploited in the wild and it is not listed in CISA KEV. EPSS is low at 0.39% (31st percentile), indicating limited predicted mass-exploitation activity despite the available POC.
Technical ContextAI
The affected component is a PHP web application (PHPGurukul Online Library Management System, CPE cpe:2.3:a:phpgurukul:online_library_management_system:3.0) commonly used as a small-scale library catalog and member management portal. The root cause is CWE-613 (Insufficient Session Expiration), where the change-password.php workflow fails to invalidate or rotate the existing session identifier after a security-relevant event such as a password change. In a correctly implemented flow, changing a password should terminate all other active sessions and issue a fresh session token; here, previously issued session cookies remain valid, so a captured or fixed session ID continues to grant authenticated access even after the account owner attempts to secure the account.
RemediationAI
No vendor-released patch identified at time of analysis - no fix version or official PHPGurukul advisory is present in the provided data. As compensating controls, configure the application/server to regenerate the session ID on every privilege or credential change and to invalidate all other active sessions when a password is changed (session_regenerate_id(true) and server-side session store invalidation), which directly addresses CWE-613 but may log users out of concurrent sessions. Enforce short session idle and absolute timeouts, set cookies with HttpOnly, Secure, and SameSite attributes to reduce token theft, and place the application behind a WAF or restrict administrative/member access to trusted networks or VPN to limit exposure while a code fix is developed. Monitor the POC repository (https://github.com/VasilVK/CVE/tree/main/CVE-2025-50488) and PHPGurukul for an official update, and given this is unmaintained-style niche software, consider migrating off it if no patch is released.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value
The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc
The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr
PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today