CVE-2025-7791

Vulnerability

Description The vulnerability is a reflected Cross-Site Scripting (XSS) issue found in the /admin/search.php file of PHPGurukul Online Security Guards Hiring System version 1.0 [2]. The root cause is that the searchdata parameter, submitted via a POST request, is directly embedded into the HTML output without proper sanitization or encoding [2]. Specifically, the line <?php echo $sdata;?> echoes the user-supplied value directly into an `` element [2].

Exploitation

The attacker can trigger this vulnerability remotely by sending a crafted POST request to the search endpoint with malicious JavaScript code in the searchdata parameter [1], [2]. No authentication is required to access the /admin/search.php page, which is the admin panel but accessible without login [2]. This makes the attack vector simple and potentially exploitable by an unauthenticated remote attacker.

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript code into the page context, which executes in the browser of any user viewing the search results [2]. This can lead to session hijacking, redirection to malicious sites, or defacement of the admin interface. The CVSS v3.1 base score is 3.5 (Low), indicating limited impact due to the reflected nature of the XSS [1].

Mitigation

The vendor has not released a patch at the time of publication, and the system appears to be unmaintained or end-of-life [1]. A public exploit has been disclosed [2]. As a workaround, administrators should apply input validation and output encoding (e.g., using htmlspecialchars()) on the searchdata parameter in /admin/search.php. Until a fix is applied, the affected component should be restricted from untrusted users.