PHPGurukul Apartment Visitors Management System CVE-2025-7815
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in PHPGurukul Apartment Visitors Management System 1.0. This issue affects some unknown processing of the file /manage-newvisitors.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
AnalysisAI
Cross-site scripting vulnerability in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the visname parameter in the /manage-newvisitors.php endpoint, exploitable only when the victim user clicks a crafted link. The CVSS score of 1.9 reflects the severe privilege requirement (PR:H), mandatory user interaction (UI:P), and limited impact (integrity only); EPSS exploitation probability is minimal at 0.05%, indicating this poses negligible real-world risk despite publicly available exploit code.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (XSS) flaw classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), occurring in the HTTP POST request handler for /manage-newvisitors.php. The visname parameter fails to sanitize or encode user-supplied input before rendering it in the response, allowing an attacker to inject arbitrary HTML and JavaScript. The PHP application processes visitor registration data without implementing output encoding or content security policy controls. This is a common pattern in PHP management applications when user-facing forms lack proper input validation and output encoding libraries.
RemediationAI
No vendor-released patch has been identified at time of analysis. The primary mitigation is to upgrade to a newer version if available, or contact PHPGurukul for security updates. As an immediate compensating control, implement HTML entity encoding (using PHP htmlspecialchars() or htmlentities() with ENT_QUOTES) on all output derived from the visname parameter and other user inputs in /manage-newvisitors.php. Additionally, enforce Content-Security-Policy (CSP) headers with strict script-src directives to prevent inline script execution. Restrict administrative access to /manage-newvisitors.php to trusted users only and disable high-privilege user accounts that are no longer in active use. Implement input validation to reject visname values containing HTML special characters (<, >, ", ', &) at the point of entry.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today