CVE-2025-5972 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Restaurant Table Booking System, specifically within the /admin/manage-subadmins.php file. The vulnerability arises from improper sanitization or validation of the 'fullname' parameter, which can be manipulated remotely by an attacker to inject malicious scripts. This vulnerability is classified as problematic and has a CVSS 4.8 (medium) score, indicating moderate risk. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:H indicates high privileges required, but the vector suggests otherwise, so this may be a CVSS 4.0 vector inconsistency), and user interaction is needed (UI:P). The impact primarily affects integrity (VI:L) with no confidentiality or availability impact. The vulnerability allows an attacker to execute arbitrary scripts in the context of an authenticated admin user, potentially leading to session hijacking, defacement, or unauthorized actions within the admin panel. Although no known exploits are currently in the wild, the public disclosure increases the risk of exploitation. Other parameters might also be vulnerable, suggesting a broader input validation issue within the application. The vulnerability affects only version 1.0 of the product, which is a niche restaurant booking system developed by PHPGurukul.

For European organizations using the PHPGurukul Restaurant Table Booking System version 1.0, this vulnerability could lead to unauthorized administrative actions if exploited. Since the vulnerability is located in the admin interface, attackers could hijack admin sessions or perform actions with admin privileges, potentially compromising the integrity of booking data, user information, or system configurations. This could disrupt restaurant operations, damage customer trust, and lead to regulatory compliance issues under GDPR if personal data is exposed or manipulated. The impact is more significant for organizations relying heavily on this system for customer management and reservations. However, the medium severity and requirement for user interaction and admin privileges limit the scope somewhat. Still, the risk of targeted attacks against hospitality businesses in Europe is non-negligible, especially as the hospitality sector is a frequent target for cyberattacks.

1. Immediate patching: Organizations should upgrade to a patched version of the PHPGurukul Restaurant Table Booking System once available. If no patch exists, consider disabling or restricting access to the /admin/manage-subadmins.php page. 2. Input validation and sanitization: Implement strict server-side input validation and output encoding for all user-supplied inputs, especially the 'fullname' parameter and other potentially vulnerable parameters. 3. Access controls: Restrict admin panel access using network-level controls such as VPNs or IP whitelisting to limit exposure. 4. Web Application Firewall (WAF): Deploy a WAF with rules to detect and block XSS payloads targeting the affected endpoints. 5. User awareness: Train administrators to recognize phishing or social engineering attempts that could facilitate user interaction-based attacks. 6. Monitoring and logging: Enable detailed logging of admin actions and monitor for unusual activity to detect exploitation attempts early. 7. Consider migrating to more secure and actively maintained booking systems if patching is not feasible.