Share
## https://sploitus.com/exploit?id=044411FF-A744-566B-985B-C288F19C4148
# CVE-2025-45805
Poc Of CVE-2025-45805
Affected Product: Doctor Appointment Management System
Vendor: phpgurukul
Version: 1.0
Vulnerability Type: Stored Cross-Site Scripting (XSS)

Description:
An authenticated doctor user can inject arbitrary JavaScript code into the doctor profile field (name/employee ID). The malicious payload is then rendered without sanitization when a patient selects the doctor to book an appointment, leading to arbitrary script execution in the victim’s browser. This can result in account takeover, session hijacking, or cookie theft.

Impact: High severity (Account Takeover, Session Hijacking)
Attack Vector: Remote (Stored XSS), victim must visit the booking page
Discovered by: Mohammed Hayaf Al-Saqqaf  & Ayman Al-Hakimi


[![Play](Screenshot_2025-09-02-23-41-56-09_f2cb81fb7cf38af7978f186f2a61634a.jpg)](ATO%20XSS.mp4)