Description
A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used.
Published: 2026-01-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload
Action: Patch
AI Analysis

Impact

A vulnerability has been discovered in PHPGurukul Online Course Registration up to version 3.1. The flaw resides in the Student Registration component, specifically the edit‑student‑profile.php script. An attacker can supply a specially crafted photo argument that bypasses the application’s file validation logic, allowing the attacker to upload any file type to the server. If the upload is executed in a writable directory that is served by the web server, this enables the attacker to place malicious payloads, potentially leading to remote code execution or further compromise.

Affected Systems

Affected products are PHPGurukul Online Course Registration applications that include the Student Registration module. Any installation using versions up to and including 3.1 is potentially vulnerable. The issue originates from the photo argument in /admin/edit‑student‑profile.php. No additional version qualifiers are available beyond the upper bound of 3.1; therefore any deployment within this range should be examined.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate impact but the presence of an unrestricted upload elevates the risk when an attacker can supply a web‑accessible persistence script. The EPSS indicates a very low exploitation probability (<1%) at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Despite the low prevalence, the attack can be launched remotely without prior authentication, so an attacker could upload a file that, if executed by the server, would give the attacker control over the application. The exploit is publicized on multiple forums and code repositories, so detection of such uploads should be part of security monitoring.

Generated by OpenCVE AI on April 18, 2026 at 08:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PHPGurukul Online Course Registration to the latest version that removes the unrestricted upload flaw, or apply any available vendor patch for versions up to 3.1.
  • Configure the upload directory so that the web server cannot execute files from it; restrict write permissions to only the upload controller and serve uploaded files through a dedicated, non‑executable directory.
  • Validate uploaded files rigorously by checking MIME type, file signature, and extensions; reject non‑image files and store uploads outside the web root if possible.
  • Restrict access to the /admin path by requiring authentication or by blocking anonymous access to edit‑student‑profile.php, reducing the surface for malicious uploads.

Generated by OpenCVE AI on April 18, 2026 at 08:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:online_course_registration:*:*:*:*:*:*:*:*

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul online Course Registration
Vendors & Products Phpgurukul
Phpgurukul online Course Registration

Fri, 02 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used.
Title PHPGurukul Online Course Registration Student Registration edit-student-profile.php unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpgurukul Online Course Registration
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:08:25.076Z

Reserved: 2026-01-01T13:21:45.563Z

Link: CVE-2026-0547

cve-icon Vulnrichment

Updated: 2026-01-02T14:15:44.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T10:15:41.510

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses