PHPGurukul Taxi Stand Management System CVE-2025-7944
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Taxi Stand Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Cross-site scripting (XSS) in PHPGurukul Taxi Stand Management System 1.0 allows remote attackers to inject malicious scripts via the searchdata parameter in /search.php. The vulnerability requires user interaction (clicking a malicious link) and has limited integrity impact. A publicly available proof-of-concept exists, though EPSS score of 0.07% suggests minimal real-world exploitation probability despite active public disclosure.
Technical ContextAI
This is a reflected cross-site scripting (CWE-79) vulnerability in a PHP-based web application. The /search.php endpoint fails to properly sanitize user input from the searchdata parameter before reflecting it in the HTTP response, allowing an attacker to inject arbitrary JavaScript code. The underlying issue is insufficient input validation and output encoding in a server-side PHP application processing search functionality. The attack vector is network-based, requiring no authentication, but mandates user interaction (UI:P in CVSS 4.0 vector) to trigger the malicious payload.
RemediationAI
No vendor-released patch has been identified at the time of analysis. Immediate remediation requires input validation and output encoding in the /search.php file: (1) Validate the searchdata parameter to accept only expected character sets (alphanumeric, spaces, etc.) and reject or encode special characters; (2) Apply context-appropriate output encoding (HTML entity encoding) when reflecting search data in HTML responses, preventing JavaScript execution; (3) Implement Content Security Policy (CSP) headers to restrict inline script execution; (4) If the application is internally used or non-critical, restrict network access to /search.php to trusted IP ranges or require authentication before the search functionality is available. Contact phpgurukul.com directly for patch availability or consider migrating to an actively maintained alternative if the project is no longer supported.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today