CVE-2025-7925 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Online Banquet Booking System, specifically within the /admin/login.php file. The vulnerability arises due to improper sanitization or validation of user-supplied input in the user_login and userpassword parameters. An attacker can craft malicious input that, when processed by the vulnerable login page, results in the injection and execution of arbitrary JavaScript code in the context of the administrator's browser session. This type of vulnerability is classified as reflected XSS, as the malicious payload is reflected off the server response without proper encoding or filtering. The vulnerability can be exploited remotely without requiring authentication, and no user privileges are necessary. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based, with low attack complexity and no privileges or user interaction required, but the vector includes user interaction (UI:P) meaning the victim must interact with a crafted link or input. The impact primarily affects the confidentiality and integrity of the administrator's session, potentially allowing session hijacking, credential theft, or unauthorized actions within the admin panel. The vulnerability does not affect availability. Although no public exploits are currently known to be in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation by opportunistic attackers. No official patches or mitigation links have been provided by the vendor at this time, which may leave systems exposed if not manually mitigated.

For European organizations using the PHPGurukul Online Banquet Booking System version 1.0, this vulnerability poses a significant risk to administrative security. Successful exploitation could allow attackers to hijack administrator sessions, steal credentials, or perform unauthorized administrative actions, potentially leading to data leakage, manipulation of booking data, or disruption of business operations. Given that banquet booking systems often handle sensitive customer information and payment details, the compromise of administrative access could also lead to broader data privacy violations under GDPR regulations, exposing organizations to legal and financial penalties. The medium severity score reflects that while the vulnerability does not directly impact system availability, the confidentiality and integrity risks are notable. European organizations with public-facing admin portals are particularly vulnerable, as attackers can remotely launch attacks without authentication. The lack of a patch increases exposure duration, and the public disclosure of the exploit details may accelerate attempts to exploit this vulnerability.

1. Immediate mitigation should include implementing strong input validation and output encoding on the user_login and userpassword parameters within /admin/login.php to neutralize malicious scripts. 2. Employ a web application firewall (WAF) with rules specifically designed to detect and block reflected XSS payloads targeting the affected parameters. 3. Restrict access to the admin login page by IP whitelisting or VPN access to reduce exposure to external attackers. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the admin interface. 5. Conduct thorough security testing of the application to identify and remediate other potential injection points. 6. Monitor web server and application logs for suspicious activities related to login attempts or unusual parameter values. 7. Engage with the vendor or development team to obtain or develop an official patch or upgrade to a secure version of the software. 8. Educate administrative users about the risks of clicking on suspicious links and encourage the use of multi-factor authentication to reduce the impact of credential theft.