PHPGurukul Apartment Visitors Management System CVE-2025-7818
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /category.php of the component HTTP POST Request Handler. The manipulation of the argument categoryname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users to inject malicious scripts via the categoryname parameter in /category.php, which are subsequently reflected to other users. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its direct impact to user account compromise or session hijacking of visiting administrators. Public exploit code is available and exploitation probability is low (EPSS 0.05%), suggesting limited real-world weaponization despite public disclosure.
Technical ContextAI
The vulnerability exists in the HTTP POST request handler for /category.php in a PHP-based apartment management application. The root cause is improper input validation and output encoding of the categoryname parameter, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The application fails to sanitize user-supplied input before storing it in a backend system (likely a database) or before reflecting it in HTML responses, allowing an authenticated attacker to embed arbitrary HTML and JavaScript that executes in the context of other users' browsers. This is a reflected or stored XSS vulnerability depending on whether the malicious payload persists in the database or is only reflected in the current request.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires upgrading to a patched version if available from PHPGurukul, or contacting the vendor at phpgurukul.com for a security update. As a compensating control, implement input validation and output encoding: sanitize the categoryname parameter using a server-side whitelist (alphanumeric and safe punctuation only) before storage, and apply HTML entity encoding (htmlspecialchars() in PHP with ENT_QUOTES flag) before rendering in HTML contexts. Additionally, implement a Content Security Policy (CSP) header restricting script execution to trusted sources only, which will mitigate XSS impact even if sanitization is bypassed. These controls introduce minimal performance overhead but require testing to ensure legitimate category names are not rejected. Monitor access logs for suspicious POST requests to /category.php with unusual payload sizes or characters.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today