PHPGurukul Taxi Stand Management System CVE-2025-7942
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in PHPGurukul Taxi Stand Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Taxi Stand Management System 1.0 allows authenticated users to inject malicious scripts via the adminname parameter in /admin/admin-profile.php, affecting application integrity. The vulnerability requires user interaction (UI:P per CVSS 4.0 vector) and an authenticated admin account (PR:L), but public exploit code exists and the risk is amplified by the admin-tier access context. EPSS exploitation probability is minimal at 0.05% percentile, suggesting limited real-world weaponization despite proof-of-concept availability.
Technical ContextAI
The vulnerability is a reflected or stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a PHP-based web application. The /admin/admin-profile.php endpoint accepts user input in the adminname parameter without proper output encoding or input sanitization, allowing attackers to inject arbitrary JavaScript. The Taxi Stand Management System is a PHP application framework used for managing taxi dispatch operations; the admin profile management functionality fails to sanitize user-controllable input before rendering it in HTML context. This is a classic server-side input validation failure in a database-driven PHP application.
RemediationAI
Upgrade PHPGurukul Taxi Stand Management System to a patched version if available from the vendor at https://phpgurukul.com/; patch version number is not specified in current advisories, so contact the vendor directly for guidance. As an interim compensating control, implement output encoding (HTML entity encoding) on the adminname parameter display in /admin/admin-profile.php by applying htmlspecialchars() or htmlentities() in PHP to convert user input before rendering to HTML. Additionally, enforce Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution and reduce XSS impact. Input validation via allowlist (permit only alphanumeric characters for admin names) will reduce attack surface. These controls trade off functionality (CSP may break legitimate scripts) against security; test thoroughly in a staging environment before production deployment.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today