CVE-2025-7926
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability, which was classified as problematic, was found in PHPGurukul Online Banquet Booking System 1.0. This affects an unknown part of the file /admin/booking-search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-21
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-07-21
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7926
EUVD
EUVD-2025-22096
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul online_banquet_booking_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7926 is a Reflected Cross-Site Scripting (XSS) vulnerability in PHPGurukul Online Banquet Booking System version 1.0. It occurs in the 'searchdata' cookie parameter used by the application, which is reflected without proper sanitization in the /admin/booking-search.php page. An attacker can inject malicious JavaScript code into this parameter, which executes in the victim's browser when they access the affected page. This allows the attacker to run arbitrary scripts in the context of the user's session. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute arbitrary JavaScript in the victim's browser, potentially leading to theft of session tokens or sensitive information, redirection to malicious websites, phishing attacks, UI redressing, and bypassing client-side security protections. It compromises the integrity of the system by enabling script injection and can result in unauthorized actions performed on behalf of the user. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the 'searchdata' cookie parameter in the /admin/booking-search.php page for reflected cross-site scripting (XSS). You can use a web proxy or browser developer tools to modify the 'searchdata' cookie and inject a test payload such as <script>alert(1)</script>. If the alert box appears when accessing the page, the vulnerability is present. Additionally, you can use Google dorking with the query inurl:admin/booking-search.php to identify potentially vulnerable targets. Example command using curl to test injection via cookie: curl -b "searchdata=<script>alert(1)</script>" https://targetsite.com/admin/booking-search.php -v [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include sanitizing and encoding the 'searchdata' cookie value before embedding it in HTML output, for example by using PHP functions like htmlspecialchars(). Implementing a Content Security Policy (CSP) to restrict script execution can also help reduce risk. Avoid reflecting cookie values directly in frontend code unless absolutely necessary. If possible, replace or update the affected product to a version without this vulnerability. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart