CVE-2025-45805 is a cross-site scripting (XSS) vulnerability identified in the phpgurukul Doctor Appointment Management System version 1.0. This vulnerability arises because an authenticated doctor user can inject arbitrary JavaScript code into their profile name field. The injected script is then rendered without proper sanitization or encoding when any user visits the website and selects that doctor to book an appointment. This means that when a patient or any visitor views the doctor’s profile, the malicious JavaScript executes in their browser context. The vulnerability is a classic example of stored XSS, where the malicious payload is persistently stored on the server and delivered to multiple users. Since the injection point is limited to authenticated doctor users, exploitation requires at least one doctor account to be compromised or maliciously controlled. However, once exploited, the impact can be significant as it affects all users who view the infected doctor profile. The lack of a CVSS score suggests this is a newly published vulnerability without formal severity assessment. The absence of patch links indicates that no official fix has been released yet. The vulnerability does not require user interaction beyond visiting the affected page, and no additional authentication is needed for victims viewing the profile. Stored XSS can be leveraged for session hijacking, credential theft, defacement, or delivering further malware payloads, making it a critical concern in web applications handling sensitive user data such as healthcare systems.

For European organizations, especially healthcare providers using the phpgurukul Doctor Appointment Management System, this vulnerability poses a significant risk to patient privacy and trust. Exploitation could lead to unauthorized access to patient sessions, theft of sensitive personal health information, or manipulation of appointment booking processes. Given the sensitive nature of healthcare data protected under GDPR, any data breach resulting from this vulnerability could lead to severe regulatory penalties and reputational damage. Additionally, the ability to execute arbitrary JavaScript could facilitate phishing attacks or malware distribution targeting European users. The impact extends beyond confidentiality to integrity and availability if attackers manipulate appointment data or disrupt service. Since healthcare systems are critical infrastructure, such attacks could also have broader public health implications. The vulnerability’s exploitation requires an attacker to have or gain doctor-level access, which may be feasible through social engineering or credential compromise, increasing the threat level. Overall, the vulnerability threatens confidentiality, integrity, and availability of healthcare services and patient data in Europe.

To mitigate this vulnerability, European healthcare organizations using this system should immediately implement strict input validation and output encoding on all user-supplied data, especially the doctor profile name field. Employing a robust web application firewall (WAF) with rules to detect and block common XSS payloads can provide temporary protection. Organizations should enforce the principle of least privilege to restrict doctor account permissions and monitor for unusual profile updates. Regular security audits and code reviews focusing on input sanitization are essential. Until an official patch is available, consider disabling or restricting profile editing capabilities for doctor users or implementing manual review of profile changes. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Educating staff about phishing and credential security reduces the risk of attacker account takeover. Finally, organizations should prepare incident response plans to quickly address any exploitation attempts and notify affected users in compliance with GDPR requirements.