CVE-2025-45949
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk34th percentile - higher than 34% of all known CVEs
Summary
A critical vulnerability in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel. Improper session data handling allows a Session Hijacking attack, leading to account takeover.
Risk Assessment
An attacker can remotely hijack an authenticated user's session, gaining full access to their account and data, potentially leading to identity theft or unauthorized actions.
Recommendation
Immediately update the system to the latest version or apply a security patch. Additionally, implement session protection mechanisms such as session ID regeneration after login and session data validation.
Original NVD description (English source)
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.

