How to fix CVE-2025-6448?

Within 24 hours: Disable or restrict network access to /admin/delete_room.php immediately; audit database logs for suspicious activity; notify affected stakeholders. Within 7 days: Deploy Web Application Firewall (WAF) rules to block malicious room_id parameters; conduct forensic analysis for evidence of exploitation; implement input validation at application layer. Within 30 days: Upgrade to patched version when available; perform full security code review of admin functions; implement principle of least privilege for database accounts; deploy real-time SQL injection detection monitoring.

Is PHP affected by CVE-2025-6448?

A critical SQL injection vulnerability in the Simple Online Hotel Reservation System (version 1.0) allows unauthenticated attackers to remotely compromise the hotel booking database through the room deletion function.

CVE-2025-6448

EUVD-2025-18827 HIGH

2025-06-22 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18827

PoC Detected

Oct 23, 2025 - 20:06 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 00:15 nvd

HIGH 7.3

Description

A vulnerability has been found in code-projects Simple Online Hotel Reservation System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/delete_room.php. The manipulation of the argument room_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6448 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System 1.0 affecting the /admin/delete_room.php endpoint. An unauthenticated remote attacker can manipulate the room_id parameter to execute arbitrary SQL queries, potentially resulting in unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.

Technical Context

The vulnerability exists in a PHP-based hotel reservation system where user-supplied input (room_id parameter) is insufficiently sanitized before being incorporated into SQL queries. This is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output Command) where dynamic SQL construction without proper parameterized queries or input validation allows attackers to break out of the intended SQL context. The affected component is an administrative function (/admin/delete_room.php) that should be access-restricted but appears to lack proper authentication checks, compounded by the injection vulnerability.

Affected Products

code-projects Simple Online Hotel Reservation System (['1.0'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

CVE-2025-6448 vulnerability details – vuln.today

Back

CVE-2025-6448

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-6448

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code