CVE-2025-63955 - Cross-Site Request Forgery (CSRF) leading to Account Deletion Key Information: Discoverer: Arul N V Severity: Medium (CVSS: 6.5 - AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) Published: Reserved Vendor: PHPGurukul Software Link: https://phpgurukul.com/student-record-system-php/ Affected Version: Student Record System v3.2 Affected Component: Description: A Cross-Site Request Forgery (CSRF) vulnerability exists in the component of PHPGurukul Student Record System v3.2. An attacker can trick an authenticated administrator into visiting a malicious webpage that silently issues a forged delete student request. Successful exploitation results in the unauthorized deletion of student accounts, leading to Denial of Service (DoS) and privilege misuse, as no CSRF protections or confirmation mechanisms are implemented. Impact: Unauthorized deletion of any student record. Loss of data leading to application-level denial of service. Privilege abuse: attacker forces admin account to perform unintended actions. Full compromise of integrity of stored academic data. Steps to Reproduce: 1. Navigate to the endpoint and log into the application using valid admin credentials. 2. Once in the dashboard, click on the View Students option. 3. Turn on a proxy tool such as Burp Suite to intercept the traffic. Delete any student record and capture that request. 4. In Burp Suite, navigate to , where the delete request will appear. 5. Right-click on the request and select . 6. In the PoC generator, copy the generated HTML code. 7. Create a file named and paste the copied code. Modify the parameter value to so it targets the student with ID 1. Save the file. 8. Open the file in a browser. 9. Click the button. 10. A popup confirming "student deleted" will appear. 11. Navigate to and observe that the student with user ID 1 has been deleted, confirming the CSRF vulnerability.