PHPGurukul Taxi Stand Management System CVE-2025-7943
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Taxi Stand Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/search-autoortaxi.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Taxi Stand Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the searchdata parameter in /admin/search-autoortaxi.php. The vulnerability requires user interaction (clicking a malicious link) but no authentication. Publicly available exploit code exists, though EPSS score (0.07%) indicates low real-world exploitation probability relative to CVSS severity.
Technical ContextAI
The vulnerability exists in a PHP-based administrative search function that fails to properly sanitize user input from the searchdata parameter before reflecting it in HTTP responses. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates insufficient output encoding or input validation. The affected endpoint /admin/search-autoortaxi.php processes search queries without escaping or filtering potentially malicious HTML/JavaScript characters, allowing attackers to embed executable scripts that execute in the context of an admin user's session if they visit a crafted URL.
RemediationAI
No vendor-released patch has been identified at time of analysis. Contact PHPGurukul directly via https://phpgurukul.com/ to request a security update for version 1.0. As an immediate compensating control, implement strict input validation and output encoding in the /admin/search-autoortaxi.php file: validate the searchdata parameter against a whitelist of allowed characters (alphanumeric, spaces, and necessary operators), and HTML-encode all output before rendering search results. Alternatively, restrict administrative interface access to trusted IP ranges or require a Web Application Firewall (WAF) rule that filters reflected XSS payloads (e.g., detecting script tags in the searchdata parameter). These controls reduce exploitability but do not eliminate the underlying code defect.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today