Skip to main content

PHP CVE-2025-6419

| EUVD-2025-18893 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-06-21 cna@vuldb.com
PHP SQLi
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH MEDIUM
CVSS changed
Apr 29, 2026 - 01:11 NVD
7.3 (HIGH) 5.5 (MEDIUM)
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18893
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
PoC Detected
Oct 23, 2025 - 20:06 vuln.today
Public exploit code
CVE Published
Jun 21, 2025 - 21:15 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/edit_room.php. The manipulation of the argument room_type leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6419 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_room.php endpoint, where the 'room_type' parameter is improperly sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.3 with public proof-of-concept code available, indicating active exploitation risk and widespread discoverability.

Technical ContextAI

The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifesting as SQL injection in a PHP-based hotel reservation system. The /admin/edit_room.php file fails to properly parameterize or escape user input from the 'room_type' GET/POST parameter before incorporating it into SQL queries, likely using string concatenation rather than prepared statements or parameterized queries. This is a classic improper input validation issue in legacy PHP applications that predate modern ORM frameworks and security-aware coding practices. The affected product is code-projects Simple Online Hotel Reservation System version 1.0, typically deployed on Apache/PHP web servers with MySQL or similar DBMS backends.

RemediationAI

  • priority: IMMEDIATE; action: Disable or restrict access to /admin/edit_room.php using web server controls (e.g., .htaccess, nginx rules) until patching is possible; details: Implement IP whitelisting for admin interfaces or require VPN/bastion host access
  • priority: CRITICAL; action: Apply input validation and parameterized queries; details: Replace all string concatenation in SQL queries with prepared statements using parameterized queries (mysqli_prepare, PDO prepared statements). Validate room_type parameter against an allowlist of expected values before use in SQL context.
  • priority: HIGH; action: Migrate to maintained alternative; details: Given the apparent abandonment of Simple Online Hotel Reservation System 1.0, consider migrating to actively maintained hotel management platforms (e.g., Hotelogix, Cloudbeds, or similar SaaS solutions) or modern open-source alternatives with active security patching
  • priority: MEDIUM; action: Implement Web Application Firewall (WAF) rules; details: Deploy rules to detect and block SQL injection patterns in room_type parameter (e.g., detecting quotes, SQL keywords, comment characters)
  • priority: MEDIUM; action: Database-level hardening; details: Create database user account with minimal required privileges (least privilege principle) for the application—avoid using root/admin accounts for application database connections
  • priority: LOW; action: Monitoring and detection; details: Implement query logging and anomaly detection on database connections; monitor for unusual SQL patterns or multi-statement executions

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-6419 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy