CVE-2025-15406
Published: 01 January 2026
Summary
CVE-2025-15406 is a medium-severity Missing Authorization (CWE-862) vulnerability in Phpgurukul Online Course Registration. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
Mandates authorization checks before permitting access or data processing via external systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862/863) in a public-facing PHP web application directly enables remote exploitation of the app without authentication, matching T1190.
NVD Description
A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Deeper analysisAI
CVE-2025-15406 is a missing authorization vulnerability affecting PHPGurukul Online Course Registration versions up to 3.1. The flaw, tied to CWE-862 (Missing Authentication for Critical Function) and CWE-863 (Incorrect Authorization), impacts an unknown function and enables remote exploitation.
An attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in low impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). A public exploit is available and may be used.
Advisories and related resources, including a GitHub proof-of-concept detailing broken access control at https://github.com/rsecroot/Online-Course-Registration/blob/main/Broken%20Access%20Control.md, are published on VulDB (https://vuldb.com/?ctiid.339326, https://vuldb.com/?id.339326, https://vuldb.com/?submit.728354) and the vendor site at https://phpgurukul.com/. No specific patch or mitigation details are outlined in the CVE description.
The exploit has been published, indicating potential for real-world use against unpatched instances.
Details
- CWE(s)