PHPGurukul Online Banquet Booking System CVE-2025-7927
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in PHPGurukul Online Banquet Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/view-user-queries.php. The manipulation of the argument viewid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in PHPGurukul Online Banquet Booking System 1.0 allows authenticated remote attackers to manipulate the viewid parameter in /admin/view-user-queries.php, enabling database query manipulation with limited confidentiality and integrity impact. Despite a critical severity classification in the original report, the CVSS 4.0 score of 2.1 reflects low real-world risk due to required authentication and restricted impact scope. Public exploit code is available, but the low EPSS score (0.08th percentile) indicates minimal likelihood of widespread exploitation.
Technical ContextAI
PHPGurukul Online Banquet Booking System is a PHP-based web application for managing banquet bookings. The vulnerability stems from improper input validation on the viewid parameter in the admin panel file /admin/view-user-queries.php, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The SQL injection allows crafted input to be concatenated into database queries without sanitization. The affected version is 1.0, identified by CPE cpe:2.3:a:phpgurukul:online_banquet_booking_system:1.0:*:*:*:*:*:*:*.
RemediationAI
Upgrade to a patched version of PHPGurukul Online Banquet Booking System if available from the vendor at https://phpgurukul.com/. If no upgrade is immediately available, implement input validation and parameterized queries (prepared statements) for the viewid parameter in /admin/view-user-queries.php to prevent SQL injection. Additionally, restrict access to the /admin/ directory using authentication mechanisms, network-level access controls (firewall rules, WAF), or IP whitelisting to limit exposure to trusted administrators only. Implement database user privilege restrictions to ensure the account used by the application has minimal necessary permissions (no DROP, ALTER, or administrative privileges). Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the viewid parameter, though this provides defense-in-depth rather than complete remediation.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today