PHPGurukul Online Banquet Booking System CVE-2025-7925
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in PHPGurukul Online Banquet Booking System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument user_login/userpassword leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored or reflected cross-site scripting (XSS) vulnerability in PHPGurukul Online Banquet Booking System 1.0 allows remote attackers to inject malicious scripts via the user_login or userpassword parameters in /admin/login.php. User interaction is required for exploitation. Publicly available exploit code exists, and EPSS score of 0.10% indicates low real-world exploitation probability despite public disclosure.
Technical ContextAI
The vulnerability is a CWE-79 improper neutralization of input during web page generation (cross-site scripting). The login form at /admin/login.php in this PHP-based banquet booking system fails to properly sanitize or escape user input from the user_login and userpassword parameters before rendering them in HTML responses. This allows attackers to inject arbitrary JavaScript that executes in the context of an admin's browser session. The affected product is PHPGurukul Online Banquet Booking System version 1.0, identified by CPE cpe:2.3:a:phpgurukul:online_banquet_booking_system:1.0:*:*:*:*:*:*:*. As a PHP application, it likely uses traditional server-side session handling and may store user input in logs or temporary files without proper encoding.
RemediationAI
Apply input validation and output encoding to the user_login and userpassword parameters in /admin/login.php. Use a templating engine or library that automatically escapes HTML special characters (e.g., PHP's htmlspecialchars() or htmlentities()) when rendering user input in HTML context. Implement Content Security Policy (CSP) headers to prevent inline script execution as a defense-in-depth measure. If using a framework like Laravel or CodeIgniter, ensure form builders apply automatic CSRF and XSS protections. No vendor-released patch version is publicly available at this time; contact phpgurukul.com directly for patched releases or self-remediate by reviewing all user input handling in login.php and applying context-specific output encoding. Test the fix by attempting to submit '<script>alert(1)</script>' in the user_login field and confirming it renders as text, not executable code.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today