CVE-2025-7802 is a cross-site scripting (XSS) vulnerability identified in version 2.0 of the PHPGurukul Complaint Management System, specifically in the /admin/complaint-search.php file. The vulnerability arises from improper sanitization of the 'Search' parameter, which allows an attacker to inject malicious scripts that execute in the context of the victim's browser. This flaw can be exploited remotely without authentication, although it requires some level of user interaction (e.g., an administrator or user clicking a crafted link or submitting manipulated input). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The vulnerability impacts confidentiality and integrity to a limited extent by potentially stealing session cookies, performing actions on behalf of the user, or defacing the web interface. Availability is not directly affected. No patches or fixes have been publicly disclosed yet, and no known exploits are currently observed in the wild. However, the public disclosure of the vulnerability increases the risk of exploitation attempts.

For European organizations using PHPGurukul Complaint Management System 2.0, this vulnerability poses a risk primarily to administrative users who access the complaint search functionality. Successful exploitation could lead to session hijacking, unauthorized actions within the complaint management system, or phishing attacks targeting internal users. This could result in unauthorized disclosure of sensitive complaint data, manipulation of complaint records, or reputational damage if attackers deface or manipulate complaint information. Since complaint management systems often handle sensitive customer or employee grievances, the confidentiality and integrity of this data are critical. The medium severity suggests that while the threat is not catastrophic, it can facilitate further attacks or data breaches if combined with other vulnerabilities or social engineering. European organizations with compliance obligations under GDPR must consider the risk of personal data exposure and potential regulatory penalties.

Organizations should immediately review and restrict access to the complaint management system's administrative interface, especially the complaint search functionality. Implement input validation and output encoding on the 'Search' parameter to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to reduce the impact of XSS attacks. Monitor web server logs for suspicious input patterns targeting the complaint-search.php endpoint. If possible, isolate the complaint management system behind a web application firewall (WAF) configured to detect and block XSS payloads. Since no official patch is available, consider applying custom patches or temporary workarounds such as disabling the vulnerable search feature or sanitizing inputs at the web server or proxy level. Educate administrative users about the risks of clicking untrusted links and encourage the use of multi-factor authentication to reduce session hijacking risks.