PHPGurukul Apartment Visitors Management System CVE-2025-7858
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic has been found in PHPGurukul Apartment Visitors Management System 1.0. This affects an unknown part of the file /admin-profile.php of the component HTTP POST Request Handler. The manipulation of the argument adminname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users to inject malicious scripts via the adminname parameter in /admin-profile.php, affecting other administrators who view the modified profile. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its severity despite remote network accessibility. Publicly available exploit code exists, though real-world exploitation depends on social engineering authenticated users to click malicious links or administrative interaction.
Technical ContextAI
The vulnerability exists in the HTTP POST request handler for /admin-profile.php, a PHP component responsible for processing administrator profile updates. The adminname parameter fails to properly sanitize or escape user input before storage or display, allowing injection of arbitrary HTML and JavaScript. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability where unsanitized user-controlled input is reflected or stored in a web page context. The affected product is a visitor management system built on PHP, where administrative functions are exposed through web-based interfaces without adequate output encoding.
RemediationAI
The primary remediation is to upgrade to a patched version when available from PHPGurukul; however, no specific patched version is documented in the provided references. As an interim measure, apply HTML entity encoding (htmlspecialchars or equivalent in PHP) to the adminname parameter on both storage and display in /admin-profile.php and any other profile-related endpoints. Additionally, implement Content Security Policy (CSP) headers to restrict inline script execution, reducing the impact of any stored XSS to data theft rather than full session compromise. For critical deployments unable to patch immediately, restrict admin panel access to specific IP addresses or enforce additional authentication factors (e.g., TOTP) for sensitive operations. Monitor admin profile modification logs for suspicious entries containing script-like content. Contact PHPGurukul through phpgurukul.com or their issue tracker to confirm patch availability and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today