PHPGurukul Apartment Visitors Management System CVE-2025-7946
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /search-visitor.php of the component HTTP POST Request Handler. The manipulation of the argument searchdata leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows remote attackers to inject malicious scripts via the searchdata parameter in /search-visitor.php. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malware distribution. Publicly available exploit code exists; however, the low EPSS score (0.07%) and minimal scope impact suggest limited real-world exploitation pressure despite public disclosure.
Technical ContextAI
The vulnerability is a reflected XSS (CWE-79) in a PHP-based visitor management application. The /search-visitor.php endpoint's HTTP POST request handler fails to properly sanitize or validate the searchdata parameter before echoing it back in the HTTP response. This allows an attacker to inject arbitrary HTML and JavaScript that executes in the victim's browser within the context of the application domain. The attack leverages the application's trust in user input without output encoding or Content Security Policy protections, enabling attackers to steal session cookies, perform unauthorized actions as the victim, or redirect to phishing pages.
RemediationAI
Upgrade to a patched version if available from PHPGurukul (check phpgurukul.com for updates); no specific patch version number is publicly confirmed at time of analysis. As immediate compensating controls: sanitize and validate the searchdata parameter using htmlspecialchars() or equivalent output encoding before echoing to HTTP responses, implement strict Content Security Policy (CSP) headers to prevent inline script execution, apply input validation whitelisting (only permit alphanumeric and safe characters for search queries), and enable httpOnly and Secure flags on session cookies to prevent JavaScript access. Additionally, restrict access to the visitor management interface by IP whitelist or VPN if the application is internet-facing, and educate staff not to click links from untrusted sources pointing to the application.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today