PHPGurukul Art Gallery Management System CVE-2025-7767
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in PHPGurukul Art Gallery Management System 1.1. Affected by this issue is some unknown functionality of the file /admin/edit-art-medium-detail.php. The manipulation of the argument artmed leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Art Gallery Management System 1.1 allows authenticated attackers to inject malicious scripts via the artmed parameter in /admin/edit-art-medium-detail.php. The vulnerability requires user interaction (UI:P) and valid login credentials (PR:L) but impacts only integrity of the admin interface. Publicly available exploit code exists, though EPSS probability remains very low at 0.05%, suggesting limited real-world exploitation despite disclosure.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in a PHP-based gallery management application. The vulnerable endpoint /admin/edit-art-medium-detail.php fails to properly sanitize or encode user-supplied input in the 'artmed' parameter before rendering it in HTML context. The vulnerability exists in an administrative interface, meaning attackers must first obtain valid admin credentials or social engineer an authenticated administrator into clicking a malicious link. The attack vector is network-accessible but requires the victim to be logged into the admin panel and to click a crafted link containing the malicious payload.
RemediationAI
No vendor-released patch has been identified at time of analysis. Primary mitigation is to upgrade to a newer version of PHPGurukul Art Gallery Management System if available from https://phpgurukul.com/, or contact the vendor to request security updates. Immediate compensating controls include: (1) implement input validation and output encoding on the artmed parameter using PHP htmlspecialchars() or similar context-aware encoding before rendering in HTML; (2) apply a Web Application Firewall (WAF) rule to block requests containing script tags or event handlers in the artmed parameter; (3) restrict administrative panel access to trusted IP ranges via .htaccess or firewall rules to limit who can reach the vulnerable endpoint; (4) educate administrators not to click links from untrusted sources that reference the admin panel, as the XSS requires user interaction to execute. Each compensating control trades off some functionality or convenience for security.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today