PHPGurukul Apartment Visitors Management System CVE-2025-7816
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in PHPGurukul Apartment Visitors Management System 1.0. Affected is an unknown function of the file /visitor-detail.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated remote attackers to inject malicious JavaScript via the visname parameter in /visitor-detail.php, which is then reflected to other users. The vulnerability requires user interaction (clicking a malicious link) but affects confidentiality and integrity of the application. Exploit code is publicly available on GitHub, though real-world exploitation remains limited (EPSS 0.05%).
Technical ContextAI
The vulnerability is a reflected/stored XSS vulnerability (CWE-79) in a PHP-based visitor management application. The /visitor-detail.php endpoint accepts HTTP POST requests with a visname parameter that is not properly sanitized or HTML-encoded before being rendered in the HTTP response. PHP applications commonly fail to use htmlspecialchars() or similar encoding functions when displaying user-controlled input in HTML context. The Apartment Visitors Management System is a small-scale PHP application typically deployed in shared hosting environments, making it representative of legacy PHP application security issues where parameterized input validation is minimal.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation options: (1) Upgrade to a patched version if PHPGurukul releases one by checking phpgurukul.com directly; (2) Manually patch the /visitor-detail.php file by applying HTML entity encoding to the visname parameter using htmlspecialchars($visname, ENT_QUOTES, 'UTF-8') before output; (3) Implement a Web Application Firewall (WAF) rule to block POST requests to /visitor-detail.php containing JavaScript keywords (script, onerror, onload) with High risk of false positives; (4) Restrict network access to the application to internal-only (VPN/bastion host) until patched, eliminating AV:N attack vector with minimal operational impact; (5) Disable the visitor detail feature if not essential, removing the attack surface entirely. Manual source code patching is recommended for organizations unable to wait for vendor updates, as the fix is straightforward (single line change). Monitor vuldb.com and phpgurukul.com for security advisories.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today