PHPGurukul Time Table Generator CVE-2025-7941
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in PHPGurukul Time Table Generator System 1.0. Affected is an unknown function of the file /admin/profile.php. The manipulation of the argument adminname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Time Table Generator System 1.0 allows authenticated users to inject malicious scripts via the adminname parameter in /admin/profile.php, affecting other users who view the compromised admin profile. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting direct impact to integrity (VI:L), but publicly available exploit code demonstrates feasibility for authorized attackers to escalate privileges or perform actions on behalf of administrators.
Technical ContextAI
The vulnerability exists in the admin profile management functionality (/admin/profile.php) of a PHP-based educational scheduling application. The adminname input parameter fails to properly sanitize or validate user-supplied data before storing or rendering it in the application context, allowing injection of arbitrary HTML and JavaScript. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability in a server-side PHP application where user input is reflected or stored without encoding. The affected CPE indicates this is specifically the Time Table Generator System version 1.0 from PHPGurukul, a platform commonly used in educational institutions for managing class schedules.
RemediationAI
Primary remediation requires upgrading from version 1.0 to a patched release; however, no specific patched version is currently documented in vendor advisories. Contact PHPGurukul directly at https://phpgurukul.com/ to request a security update or patch for this XSS vulnerability. As an immediate compensating control, restrict access to the /admin/profile.php endpoint using web application firewall (WAF) rules that block requests containing script tags or event handlers in the adminname parameter (e.g., block strings containing '<script', 'onerror=', 'onclick='). Additionally, implement strict output encoding: ensure all admin profile data displayed in HTML context is HTML-entity-encoded and all JavaScript context uses JavaScript escaping before rendering. Enforce Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution even if XSS payloads are injected. Require multi-factor authentication (MFA) for all admin accounts to reduce the likelihood of credential compromise. These mitigations do not fix the underlying code flaw but prevent exploitation of this specific attack vector until a vendor patch is released.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today