CVE-2021-25791

MEDIUM

Online Doctor Appointment System 1.0 - Authenticated Stored Cross-Site Scripting in Update Profile Module

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-25791. PoCs published by Mohamed habib Smidi, MrCraniums.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Online Doctor Appointment System 1.0. The exploit involves injecting a JavaScript payload into user profile fields, which triggers when the profile is updated or visited.

Description

Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.

Exploits (2)

exploitdb WRITEUP
by Mohamed habib Smidi · textwebappsphp
https://www.exploit-db.com/exploits/49396

This is a writeup describing a stored XSS vulnerability in Online Doctor Appointment System 1.0. The exploit involves injecting a JavaScript payload into user profile fields, which triggers when the profile is updated or visited.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Online Doctor Appointment System 1.0
Auth required
Prerequisites: Access to a doctor account · Ability to modify profile fields
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by MrCraniums · poc
https://github.com/MrCraniums/CVE-2021-25791-Multiple-Stored-XSS

The repository lacks actual exploit code and only provides a link to an external ExploitDB entry. It contains minimal technical details and appears to be a placeholder or lure.

Classification
Suspicious 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Online Doctor Appointment System V1.0
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Product x_refsource_misc
https://www.sourcecodester.com
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/49396

Scores

CVSS v3 5.4
EPSS 0.0254
EPSS Percentile 82.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
online_doctor_appointment_system_php_full_source_code_project/online_doctor_appointment_system_php_full_source_code 1.0
Published Jul 23, 2021
Tracked Since Feb 18, 2026