Which versions of PHP are affected by CVE-2025-6455?

A SQL injection vulnerability in the Online Hotel Reservation System allows unauthenticated remote attackers to compromise database integrity and potentially exfiltrate sensitive guest and payment…

Is there a public PoC exploit available for CVE-2025-6455?

Yes, a public proof-of-concept exploit is available for CVE-2025-6455. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6455?

Within 24 hours: Identify all instances of the affected system (version 1.0) in production and assess internet accessibility; immediately isolate critical instances from public networks if possible. Within 7 days: Deploy WAF rules to block malicious input patterns on the /messageexec.php endpoint, implement input validation, and disable the affected functionality if not business-critical. Within 30 days: Contact vendor for patch availability timeline, conduct full database audit for unauthorized access, and plan upgrade or replacement strategy.

PHP CVE-2025-6455

Q: What is the CVSS score of CVE-2025-6455?

CVE-2025-6455 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-18879 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-22 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18879

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

PoC Detected

Nov 13, 2025 - 15:20 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 03:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability classified as critical was found in code-projects Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /messageexec.php. The manipulation of the argument Name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6455 is a SQL injection vulnerability in code-projects Online Hotel Reservation System version 1.0, specifically in the /messageexec.php file where the 'Name' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.

Technical ContextAI

The vulnerability exists in a web application parameter handling layer (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly associated with SQL injection). The /messageexec.php endpoint accepts user-supplied input via the 'Name' parameter without proper input validation or parameterized query usage. This allows attackers to inject arbitrary SQL syntax into backend database queries. The affected product is a PHP-based hotel reservation management system running on typical LAMP/LEMP stacks. The root cause is insufficient input filtering before SQL query construction, a preventable weakness through prepared statements or input validation.

RemediationAI

Immediate actions: (1) Apply parameterized queries (prepared statements) to the /messageexec.php file—replace string concatenation in SQL queries with placeholder-based parameterized queries in PHP (mysqli_prepare or PDO prepared statements); (2) Implement input validation on the 'Name' parameter using whitelist-based validation and type checking; (3) Apply principle of least privilege to database user credentials used by the application; (4) Deploy Web Application Firewall (WAF) rules to detect/block common SQL injection patterns in the Name parameter. Contact code-projects for vendor-provided patches; if unavailable, apply temporary access controls to /messageexec.php pending patch release. Monitor for active exploitation attempts in access logs.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-6455 vulnerability details – vuln.today

Back

PHP CVE-2025-6455

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code