PHPGurukul Online Banquet Booking System CVE-2025-7924
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic was found in PHPGurukul Online Banquet Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Online Banquet Booking System 1.0 allows authenticated remote attackers to inject malicious scripts via the adminname parameter in /admin/admin-profile.php. The vulnerability requires user interaction (UI:P) to trigger payload execution but carries public exploit code, making it readily weaponizable despite the low CVSS score of 2.0 and minimal EPSS probability (0.07%).
Technical ContextAI
The vulnerability is a classic reflected XSS flaw (CWE-79) in a PHP-based web application. The /admin/admin-profile.php endpoint fails to properly sanitize or encode user-supplied input in the adminname parameter before reflecting it back in the HTTP response. Because this is a reflected XSS requiring user interaction, an attacker must craft a malicious URL and socially engineer an authenticated admin user into clicking it. The low CVSS score reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), though the network attack vector (AV:N) means the exploit can be delivered remotely. The impact is limited to integrity of the session (VI:L) with no confidentiality or availability concerns in the base metrics.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate mitigation requires implementing input validation and output encoding in /admin/admin-profile.php: validate the adminname parameter against a strict whitelist of expected characters, then HTML-encode all user-controlled data before rendering it in HTML context using PHP's htmlspecialchars() function with ENT_QUOTES flag. Additionally, enforce Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution even if XSS payload reaches the page. Disable or restrict access to the /admin/ directory via WAF rules or network ACLs to limit exposure to authenticated users only. If using a PHP framework, migrate to a templating engine with automatic contextual escaping (e.g., Twig). Long-term: consider upgrading to an actively maintained booking system or applying a web application firewall with XSS detection rules. Contact PHPGurukul via https://phpgurukul.com/ to request security patches and disclose the unpatched status.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today