CVE-2025-7943 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Taxi Stand Management System. The vulnerability exists in the /admin/search-autoortaxi.php file, specifically related to the manipulation of the 'searchdata' parameter. An attacker can craft malicious input to this parameter, which is not properly sanitized or encoded before being reflected back in the web application's response. This flaw allows remote attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser session without requiring authentication. The vulnerability is classified as problematic and has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and no privileges or user interaction required, although the CVSS vector indicates user interaction is needed (UI:P). The vulnerability impacts the confidentiality and integrity of user data by potentially enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patches or fixes have been publicly disclosed yet, and while no known exploits are currently in the wild, the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche taxi stand management system developed by PHPGurukul, typically used by taxi service operators to manage vehicle and driver data, bookings, and related administrative tasks.

For European organizations, particularly small to medium-sized taxi service providers or transportation management companies using PHPGurukul Taxi Stand Management System 1.0, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data integrity. Exploitation could lead to unauthorized access to administrative functions, manipulation of booking data, or theft of sensitive customer information such as personal details or payment data if handled within the system. This could result in operational disruption, reputational damage, and potential regulatory non-compliance under GDPR due to data breaches. While the product is not widely adopted among large enterprises, localized taxi operators in Europe relying on this system could face targeted attacks, especially if attackers aim to disrupt transportation services or conduct fraud. The medium severity rating suggests a moderate risk, but the lack of authentication requirements and remote exploitability increase the likelihood of opportunistic attacks. The impact on availability is limited, but the integrity and confidentiality of data and user sessions are at risk.

Organizations using PHPGurukul Taxi Stand Management System 1.0 should immediately review and sanitize all inputs, especially the 'searchdata' parameter in /admin/search-autoortaxi.php, to prevent injection of malicious scripts. Implementing proper output encoding (e.g., HTML entity encoding) before reflecting user input in responses is critical. Applying a web application firewall (WAF) with rules to detect and block XSS payloads targeting this parameter can provide interim protection. Since no official patch is available, consider isolating the affected system from public networks or restricting access to trusted administrators only. Conduct thorough security testing and code review to identify and remediate similar input validation issues elsewhere in the application. Educate users and administrators about the risks of XSS and encourage the use of modern browsers with built-in XSS protection. Monitoring logs for suspicious activity related to the vulnerable endpoint can help detect exploitation attempts early. Planning an upgrade or migration to a more secure and actively maintained taxi management solution is advisable.