PHPGurukul Online Banquet Booking System CVE-2025-7926
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in PHPGurukul Online Banquet Booking System 1.0. This affects an unknown part of the file /admin/booking-search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Online Banquet Booking System 1.0 allows authenticated remote attackers to inject malicious scripts via the searchdata parameter in /admin/booking-search.php, which are then reflected to other users viewing search results. The vulnerability requires user interaction (clicking a malicious link) and authenticated access to the admin panel, resulting in session hijacking or credential theft. Publicly available exploit code exists, though the EPSS score of 0.07% (percentile 21%) and low CVSS score of 2.0 suggest limited real-world exploitation likelihood due to the authentication and user interaction requirements.
Technical ContextAI
The vulnerability exists in a PHP application's admin search functionality. The /admin/booking-search.php file fails to properly sanitize or encode user input from the searchdata parameter before reflecting it in the HTTP response or storing it in a database for later retrieval. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) weakness where untrusted input is rendered as HTML/JavaScript without escaping. The affected product is a web-based banquet booking system (CPE: cpe:2.3:a:phpgurukul:online_banquet_booking_system:1.0:*:*:*:*:*:*:*) written in PHP, likely using server-side templating without output encoding. An attacker can inject JavaScript that executes in the context of an authenticated admin's browser session.
RemediationAI
Upgrade to a patched version of PHPGurukul Online Banquet Booking System if available from phpgurukul.com. If no upgrade is available, implement immediate compensating controls: (1) Sanitize all user input to the searchdata parameter using PHP's htmlspecialchars() or htmlentities() with ENT_QUOTES flag before output, ensuring all special characters are HTML-encoded; (2) Implement Content Security Policy (CSP) headers with 'script-src self' to prevent inline script execution; (3) Restrict admin panel access by IP whitelist or require VPN to access /admin/ directory, reducing the attack surface to trusted networks only; (4) Apply input validation to reject searchdata values containing script tags or event handlers; (5) Enable HTTP-only and Secure flags on session cookies to prevent JavaScript-based session theft. Note: implementing CSP may break existing admin functionality if the application uses inline JavaScript, requiring testing. The most effective remediation is upgrading the entire application to a maintained version or replacing it with an actively supported banquet booking system.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today