Hotel and Lodge Management System
CVE-2025-11405
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in SourceCodester Hotel and Lodge Management System 1.0. This vulnerability affects unknown code of the file /del_tax.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /del_tax.php. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited technical impact, but publicly available exploit code exists and the EPSS score of 0.03% indicates minimal real-world exploitation probability despite public POC availability.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) occurring in a PHP-based hotel management application. The /del_tax.php endpoint fails to properly sanitize or parameterize the ID parameter before using it in SQL queries, allowing an authenticated user to inject SQL metacharacters. The application likely uses string concatenation rather than prepared statements when constructing DELETE or UPDATE operations on a tax-related table. The CVSSv4.0 vector shows attack vector is network-based but requires authenticated access (PR:L), limiting the attack surface to users with valid credentials.
RemediationAI
No vendor-released patch identified at time of analysis. The primary mitigation is to upgrade to a patched version if the vendor releases one, or contact SourceCodester directly for security guidance. Immediate compensating controls include implementing prepared statements (parameterized queries) in /del_tax.php and all SQL-executing endpoints to prevent injection, restricting the del_tax.php endpoint to trusted internal networks or administrative users only via firewall/WAF rules, and validating and sanitizing all user input parameters (especially ID) using strict allowlist validation (e.g., accepting only numeric values if ID is a primary key). Additionally, apply least-privilege database credentials - the PHP application should use a database user with only SELECT and DELETE permissions on the tax table, not broader administrative privileges. Web application firewalls should be configured to block SQL injection patterns. The trade-off of network restriction is reduced functionality for legitimate remote access, which may be acceptable for an internal hotel management system.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today