CVE-2025-15390
Unknown Unknown - Not Provided
Authorization Bypass in PHPGurukul Small CRM /admin/edit-user.php

Publication date: 2025-12-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15390
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul small_crm 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authorization flaw in PHPGurukul Small CRM version 4.0, specifically in the /admin/edit-user.php file. The system fails to properly verify user roles before granting access to administrative functions. Although it checks if a user is authenticated, it does not confirm if the user has the necessary privileges. As a result, any authenticated user can access administrative pages and perform actions reserved for administrators, leading to privilege escalation and unauthorized control over the system. [1, 3]

Impact Analysis

This vulnerability allows an attacker with low-level user credentials to escalate their privileges to administrator level. They can access and modify sensitive user data, change user information, and potentially take full control of the system. This can lead to data breaches, unauthorized data manipulation, and complete system compromise. [1, 3]

Detection Guidance

This vulnerability can be detected by checking for unauthorized access to administrative URLs such as /admin/edit-user.php without proper role verification. One method is to use Google dorking with the query "inurl:admin/edit-user.php" to identify potentially vulnerable targets. Additionally, monitoring web server logs for access attempts to /admin/edit-user.php by low-privileged users may help detect exploitation attempts. Specific commands could include using curl or wget to test access, for example: curl -i http://targetsite.com/admin/edit-user.php to see if access is granted without proper authorization. [3, 1]

Mitigation Strategies

No known countermeasures or mitigations currently exist for this vulnerability. It is suggested to replace the affected product with an alternative CRM system. Until a patch or fix is available, restricting access to the /admin/edit-user.php file via network controls or web server configuration (e.g., IP whitelisting or authentication enforcement) may reduce risk, but no official vendor guidance is available. [3]

Compliance Impact

The vulnerability allows unauthorized users to escalate privileges and gain full administrative access to sensitive user data, which compromises confidentiality, integrity, and availability of the system. Such unauthorized access and potential data modification can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by exposing sensitive data to unauthorized parties. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart