PHPGurukul Complaint Management System CVE-2025-7802
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Complaint Management System 2.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/complaint-search.php. The manipulation of the argument Search leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Complaint Management System 2.0 allows authenticated users to inject malicious scripts via the Search parameter in /admin/complaint-search.php. The vulnerability requires user interaction (victim clicks malicious link) and authenticated access, limiting its real-world impact despite public exploit availability. EPSS score of 0.05% indicates very low exploitation probability in practice.
Technical ContextAI
The vulnerability is a reflected XSS flaw (CWE-79) in a PHP-based complaint management application. The /admin/complaint-search.php endpoint fails to sanitize the Search parameter before rendering it in HTTP responses, allowing attackers to embed arbitrary JavaScript. The attack occurs in a web application context where user input from URL parameters is directly echoed back without encoding, a common PHP development oversight. Since the endpoint is protected by authentication (/admin path), only users with valid credentials can reach the vulnerable code, though an authenticated attacker could craft a malicious link to trick another admin into clicking it.
RemediationAI
Primary remediation requires vendor-supplied patch or update to a patched version; however, no specific fixed version number is confirmed in available advisory data. Implement immediate compensating controls: apply HTML entity encoding (htmlspecialchars or htmlentities in PHP) to all output of the Search parameter in /admin/complaint-search.php, validate and sanitize input against a whitelist of allowed characters (alphanumeric only recommended for search fields), and implement Content Security Policy (CSP) headers to prevent inline script execution. Additionally, enforce httponly and secure flags on authentication cookies to limit XSS impact. Monitor the vendor's official repository (https://phpgurukul.com/) and VulDB (https://vuldb.com/?submit.616740) for patch availability. If this is a self-hosted installation, review the GitHub disclosure at https://github.com/N1n3b9S/cve/issues/7 for technical remediation details pending official vendor patch.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today