Hotel and Lodge Management System
CVE-2025-11400
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in SourceCodester Hotel and Lodge Management System 1.0. This impacts an unknown function of the file /del_room.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /del_room.php, enabling database query modification with limited confidentiality and integrity impact. Publicly available exploit code exists; however, EPSS score of 0.03% indicates minimal real-world exploitation probability despite low attack complexity, suggesting this is primarily a security researcher proof-of-concept rather than an active threat.
Technical ContextAI
The vulnerability exists in a PHP-based hotel management application (cpe:2.3:a:nikhil-bhalerao:hotel_and_lodge_management_system:1.0) in the /del_room.php endpoint. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates insufficient input validation or parameterized query usage in the ID argument before SQL execution. The attack vector is network-based with low complexity, but requires authenticated access (PR:L), limiting exposure to users with valid credentials or those who have compromised a user account.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires upgrading to a patched version if available from SourceCodester (verify via https://www.sourcecodester.com/); if no patch exists, implement input validation and parameterized queries (prepared statements) in /del_room.php to neutralize SQL injection via the ID parameter. Restrict access to the del_room.php endpoint to authenticated users only and implement least-privilege database account permissions to limit SQLi impact scope. If immediate patching is unavailable, disable or remove the room deletion functionality until a fix is deployed. Database activity logging and Web Application Firewall (WAF) rules blocking SQL keywords in the ID parameter provide temporary detection and prevention, though WAF rules may be bypassed with encoding techniques.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today