Hotel and Lodge Management System
CVE-2025-11403
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in SourceCodester Hotel and Lodge Management System 1.0. Affected by this issue is some unknown functionality of the file /del_booking.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /del_booking.php, enabling unauthorized database queries with limited impact on confidentiality and integrity. Publicly available exploit code exists, but the EPSS score of 0.03% indicates minimal real-world exploitation probability despite low attack complexity, likely due to authentication requirement and limited scope of impact.
Technical ContextAI
The vulnerability exists in a PHP-based hotel management application at the /del_booking.php endpoint. The application fails to properly sanitize or parameterize the ID parameter before incorporating it into SQL queries (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). This classic SQL injection flaw allows attackers with valid application credentials to craft malicious ID values that alter query logic, potentially extracting or modifying booking records. The attack surface is limited by the authentication requirement (PR:L in CVSS 4.0 vector), restricting exploitation to users with legitimate application access.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires applying parameterized queries (prepared statements) to the /del_booking.php file, specifically the ID parameter processing logic. Until patching is possible, implement input validation to restrict ID parameters to expected numeric formats and whitelist acceptable values. Apply principle of least privilege to database accounts used by the application - restrict permissions to only necessary tables and operations. Consider deploying a Web Application Firewall (WAF) rule to detect and block SQL injection patterns in the ID parameter, though this adds operational overhead and may generate false positives. Contact SourceCodester (https://www.sourcecodester.com/) regarding patch availability or consider migrating to an actively maintained alternative if this application is no longer supported.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today