CVE-2025-5974 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Restaurant Table Booking System, specifically within the /check-status.php file. The vulnerability arises from improper sanitization or validation of the 'searchdata' parameter, which can be manipulated by an attacker to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript code in the context of the victim's browser when they access a crafted URL or interact with the affected functionality. The vulnerability does not require authentication but does require user interaction (e.g., clicking a malicious link). The CVSS 4.0 base score is 5.1, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction needed. The impact primarily affects confidentiality and integrity at a limited level, as the injected scripts could steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The vulnerability is publicly disclosed, but no known exploits are currently reported in the wild. The affected product is a niche web application used for restaurant table booking, which may be deployed by small to medium-sized hospitality businesses. No patches or mitigations have been officially released yet.

For European organizations, particularly those in the hospitality sector using the PHPGurukul Restaurant Table Booking System, this vulnerability poses a risk of client-side attacks that can lead to session hijacking, theft of sensitive user data, or defacement of web interfaces. While the direct impact on backend systems or data availability is limited, the reputational damage and potential regulatory consequences under GDPR for failing to protect user data could be significant. Attackers could exploit this vulnerability to target customers or staff accessing the booking system, potentially leading to phishing or fraud. The medium severity rating reflects that while the vulnerability is exploitable remotely without authentication, it requires user interaction and does not directly compromise server-side data or availability. However, given the hospitality industry's increasing digitalization and reliance on online booking platforms, exploitation could disrupt business operations and customer trust.

Organizations using PHPGurukul Restaurant Table Booking System 1.0 should immediately implement input validation and output encoding on the 'searchdata' parameter within /check-status.php to prevent script injection. Specifically, applying context-aware encoding (e.g., HTML entity encoding) before rendering user input in the browser is critical. Until an official patch is released, deploying a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting this parameter can reduce risk. Additionally, organizations should educate users to avoid clicking suspicious links and monitor web server logs for unusual requests to /check-status.php. Regular security assessments and code reviews focusing on input handling should be conducted. If feasible, upgrading to a newer, patched version of the software or migrating to a more secure booking system is recommended. Implementing Content Security Policy (CSP) headers can also mitigate the impact of XSS by restricting script execution sources.