CVE-2025-10794 is a cross-site scripting (XSS) vulnerability identified in version 3.0 of the PHPGurukul Car Rental Project, specifically within the /carrental/search.php file. The vulnerability arises from improper handling of the 'autofocus' argument, which can be manipulated by an attacker to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript code in the context of the victim's browser without requiring authentication. The vulnerability is classified as reflected XSS, where the injected script is reflected off the web server in the immediate response to a crafted request. The CVSS 4.0 base score is 5.3 (medium severity), indicating moderate impact with no privileges or user interaction required, and low complexity of attack. The vulnerability does not affect confidentiality directly but can impact integrity and availability by enabling session hijacking, defacement, or redirection to malicious sites. Exploit code has been published, increasing the risk of exploitation, although no confirmed widespread exploitation is reported yet. The vulnerability affects a specific version of a niche web application used for car rental management, which may be deployed by small to medium enterprises or local rental agencies relying on PHPGurukul's software solution.

For European organizations using the PHPGurukul Car Rental Project 3.0, this vulnerability poses a tangible risk of client-side attacks that could compromise user sessions, steal sensitive data such as login credentials, or perform unauthorized actions on behalf of users. Given the nature of the application, which likely handles customer personal information and booking details, exploitation could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. The reflected XSS could also be leveraged as a vector for phishing campaigns targeting customers or employees. While the vulnerability does not directly compromise backend systems, the indirect consequences of client-side compromise can be significant, especially for organizations with a large customer base or those operating in highly regulated sectors. The medium severity score suggests that while the threat is not critical, it should not be ignored, particularly since exploit code is publicly available and the attack can be launched remotely without authentication.

To mitigate this vulnerability, organizations should immediately review and sanitize all user-controllable inputs, especially the 'autofocus' parameter in /carrental/search.php, using robust server-side input validation and output encoding techniques to neutralize malicious scripts. Implementing Content Security Policy (CSP) headers can further reduce the risk by restricting the execution of unauthorized scripts. Since no official patch is currently available, organizations should consider applying custom patches or workarounds, such as disabling or restricting the vulnerable functionality if feasible. Regular security testing, including automated scanning and manual code review, should be conducted to detect similar issues. Additionally, educating users about the risks of phishing and suspicious links can reduce the impact of potential attacks leveraging this vulnerability. Monitoring web server logs for unusual requests targeting the autofocus parameter can help detect exploitation attempts early.