CVE-2025-5973 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Restaurant Table Booking System, specifically within the /admin/add-table.php file. The vulnerability arises from improper sanitization or validation of the 'tableno' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is exploitable remotely without authentication, although it requires some level of privileges (PR:H) and user interaction (UI:P) to be successful. The CVSS 4.0 base score of 4.8 classifies it as a medium severity issue. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required for exploitation (PR:H indicates high privileges, but the vector suggests no privileges, so this may be a discrepancy; however, the description states remote exploitation is possible). The vulnerability does not impact confidentiality or availability significantly but has a low impact on integrity. The exploit allows an attacker to execute arbitrary JavaScript in the context of the administrative interface, potentially leading to session hijacking, unauthorized actions, or theft of sensitive data accessible to the admin user. Although no known exploits are currently in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche restaurant table booking system developed by PHPGurukul, likely used by small to medium-sized hospitality businesses. The lack of a patch link indicates that a fix may not yet be available, increasing the urgency for mitigation.

For European organizations, especially those in the hospitality sector using the PHPGurukul Restaurant Table Booking System version 1.0, this vulnerability poses a risk of administrative account compromise through XSS attacks. Successful exploitation could allow attackers to hijack admin sessions, manipulate booking data, or perform unauthorized administrative actions, potentially disrupting business operations and damaging customer trust. Given the administrative nature of the affected interface, the impact on confidentiality and integrity is moderate, as attackers could access or alter sensitive booking information. However, the overall impact on availability is minimal. The medium severity rating reflects the limited scope but tangible risk. Organizations in Europe with online restaurant booking systems should be aware of this vulnerability, as exploitation could lead to regulatory compliance issues under GDPR if customer data is exposed or manipulated. Additionally, reputational damage and financial loss could result from operational disruptions or data breaches.

1. Immediate mitigation should include restricting access to the /admin/add-table.php interface to trusted IP addresses or VPN users to reduce exposure. 2. Implement strict input validation and output encoding on the 'tableno' parameter to neutralize malicious scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the admin interface. 4. Monitor web server logs for suspicious requests targeting the 'tableno' parameter and unusual admin activity. 5. If possible, upgrade to a patched version once available or apply vendor-provided patches promptly. 6. Educate administrative users on phishing and social engineering risks that could facilitate exploitation. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this endpoint. 8. Regularly audit and review access controls and session management mechanisms to prevent session hijacking.