Hotel and Lodge Management System
CVE-2025-11402
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in SourceCodester Hotel and Lodge Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /del_curr.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /del_curr.php, enabling database query modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates low real-world exploitation probability despite public disclosure, suggesting limited practical risk in typical deployments.
Technical ContextAI
The vulnerability exists in a PHP-based hotel management application developed by Nikhil Bhalerao. The /del_curr.php file fails to properly sanitize or parameterize the ID parameter before using it in SQL queries, allowing injection of arbitrary SQL syntax. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the root cause is insufficient input validation/output encoding. The SQL injection vector is network-accessible but requires prior authentication (CVSS PR:L), limiting the attack surface to authorized users of the system.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation requires code review and patching of the /del_curr.php file to implement parameterized queries or prepared statements for all SQL operations, particularly the ID parameter handling. Operators of this system should apply input validation (whitelist numeric IDs if applicable) and implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the ID parameter. Until patching is feasible, restrict access to the /del_curr.php endpoint to trusted network segments and enforce strong authentication controls. Contact SourceCodester support at https://www.sourcecodester.com/ to request a security patch; consider evaluating alternative hotel management systems with active security maintenance if updates are unavailable.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today