A critical remote code execution (RCE) vulnerability has been identified in PhpGurukul’s Online Banquet Booking System (OBBS) version 1.2, tracked as CVE-2025-45947 with a CVSS score of 9.8. The flaw resides in the /obbs/change-password.php file within the My Account – Change Password component, allowing unauthenticated attackers to execute arbitrary code1. This vulnerability was publicly disclosed on April 28, 2025, and has been confirmed in the National Vulnerability Database (NVD)2.
Technical Analysis
The vulnerability stems from insufficient input validation when processing user-supplied data in the password change functionality. Attackers can craft malicious requests containing PHP code that the server executes due to improper sanitization. The OBBS system, designed for event management, typically runs with web server privileges, meaning successful exploitation grants control over the hosting environment.
Google search results indicate this is part of a broader trend of vulnerabilities in PhpGurukul products, including CVE-2025-3827 (SQL injection in Men Salon Management System)3. The OBBS vulnerability is particularly dangerous because it doesn’t require authentication, lowering the barrier for exploitation. Systems running OBBS 1.2 or earlier are confirmed vulnerable, though older versions may also be affected.
Impact and Mitigation
Successful exploitation allows complete system compromise, including data theft, malware deployment, and lateral movement within networks. The high CVSS score reflects the attack’s low complexity and lack of required privileges. Immediate mitigation steps include:
- Upgrading to a patched version if available from PhpGurukul
- Restricting access to
/obbs/change-password.phpvia web application firewalls - Monitoring for unusual process execution originating from the web server
Network defenders should prioritize investigating any internet-facing OBBS installations, as exploit attempts are likely to increase following public disclosure. The vulnerability’s presence in a booking system also raises compliance concerns under data protection regulations due to potential exposure of customer information.
Detection and Response
Security teams can detect exploitation attempts by monitoring web server logs for:
POST /obbs/change-password.php HTTP/1.1
[...]
password=malicious_payloadSIEM rules should alert on base64-encoded or obfuscated PHP code in POST parameters to this endpoint. Endpoint detection systems can look for child processes spawned by the web server user executing system commands. As of April 29, 2025, no public proof-of-concept exploit exists, but the simplicity of the vulnerability makes weaponization likely.
Broader Security Context
This vulnerability highlights ongoing challenges in securing PHP-based web applications, particularly those with minimal security review. The PhpGurukul codebase has demonstrated multiple security issues, suggesting organizations using their products should conduct thorough audits. This case also underscores the importance of:
| Security Practice | Relevance |
|---|---|
| Input validation | Critical for preventing RCE |
| Least privilege | Limits impact of web app compromises |
| Patch management | Essential for niche software |
The vulnerability’s discovery follows increased scrutiny of web booking systems after similar flaws were found in VikRestaurants (CVE-2025-46251) and other hospitality management platforms4.
Conclusion
CVE-2025-45947 represents a severe threat to organizations using PhpGurukul’s OBBS software. The combination of remote code execution and lack of authentication requirements makes this vulnerability particularly dangerous. Security teams should immediately assess their exposure and implement mitigations while awaiting an official patch. This case serves as a reminder of the risks inherent in lesser-known web applications that may not undergo rigorous security testing during development.
References
- “CVE-2025-45947 Detail,” National Vulnerability Database, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-45947
- “PHPGurukul Online Banquet Booking System Security Advisory,” PhpGurukul, 2025.
- “CVE-2025-3827: SQL Injection in Men Salon Management System,” GitHub Security Advisory, 2025. [Online]. Available: https://github.com/NuoNuo-L/cve/issues/1
- “Critical Vulnerabilities & Emerging Threats,” Patchstack, 2025. [Online]. Available: https://patchstack.com/database/wordpress/plugin/vikrestaurants
