Hotel and Lodge Management System
CVE-2025-11474
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in SourceCodester Hotel and Lodge Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_booking.php. Performing manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /edit_booking.php, resulting in limited confidentiality and integrity impact. The vulnerability has public exploit code available but carries exceptionally low EPSS exploitation probability (0.03%, 8th percentile), suggesting minimal real-world threat despite network accessibility and low attack complexity.
Technical ContextAI
The vulnerability exists in PHP-based hotel management software where user-supplied input in the Name parameter of the edit_booking.php file is passed directly to a SQL query without proper sanitization or parameterized queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) manifestation in SQL context. The affected CPE (cpe:2.3:a:nikhil-bhalerao:hotel_and_lodge_management_system:1.0) indicates this is a single-version product with no documented version inheritance or upgrade path, limiting the scope of affected deployments.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires either upgrading to a patched version if available from the vendor at https://www.sourcecodester.com/, or removing the software from production. Compensating controls include: implement parameterized queries or prepared statements in the PHP code to neutralize SQL injection input (requires code modification or Web Application Firewall rule to block single quotes and SQL keywords in the Name parameter); restrict access to /edit_booking.php to trusted IP ranges only via network-level controls (reduces attack surface significantly since authentication is required); apply input validation to reject SQL metacharacters in the Name field (limits but does not eliminate risk without query parameterization). Web Application Firewall signatures blocking SQL injection patterns in POST/GET Name parameters can provide temporary protection while code remediation is performed.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today