CVE-2025-5970 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Restaurant Table Booking System, specifically within the /admin/add-subadmin.php file. The vulnerability arises due to improper sanitization or validation of the 'fullname' parameter, which is susceptible to malicious script injection. An attacker can exploit this flaw remotely without authentication, although the CVSS vector indicates that privileges are required (PR:H) and user interaction is needed (UI:P), suggesting that the attacker must have some level of administrative access and trick a user into interacting with a crafted payload. The vulnerability is classified as medium severity with a CVSS score of 4.8. The impact primarily affects the confidentiality and integrity of the affected system by allowing script execution in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The disclosure mentions that other parameters might also be vulnerable, indicating a broader input validation issue within the application. No known exploits are currently active in the wild, and no patches have been linked yet, which suggests that organizations using this system should prioritize remediation once available. The vulnerability affects a niche product used for restaurant table booking management, which may be deployed in small to medium hospitality businesses.

For European organizations, particularly those in the hospitality sector using PHPGurukul's Restaurant Table Booking System, this vulnerability could lead to unauthorized access to administrative functions or user session compromise. Exploitation could result in defacement of administrative interfaces, theft of sensitive booking or customer data, or the injection of malicious scripts that could spread malware or phishing attacks to employees or customers. Given that the vulnerability requires some level of privilege and user interaction, the risk is somewhat mitigated but still significant in environments where multiple administrators or staff have access to the booking system backend. The impact on availability is minimal, but the integrity and confidentiality of data could be compromised. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR if customer data is exposed), and financial losses due to fraud or remediation costs.

Organizations should immediately review and restrict administrative access to the /admin/add-subadmin.php interface, ensuring that only trusted personnel have access. Input validation and output encoding should be implemented or improved for the 'fullname' parameter and any other user-supplied inputs to prevent script injection. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. Regularly monitor logs for suspicious activity related to the affected endpoint. Since no official patch is currently available, consider applying virtual patching via Web Application Firewalls (WAFs) to detect and block malicious payloads targeting this vulnerability. Additionally, conduct security awareness training for staff to recognize and avoid social engineering attempts that could facilitate exploitation. Finally, maintain an inventory of all systems using this software to prioritize updates once a patch is released.