Which versions of PHP are affected by CVE-2025-6457?

A publicly disclosed SQL injection vulnerability in the Online Hotel Reservation System allows remote attackers to potentially access or manipulate customer reservation data and sensitive…

Is there a public PoC exploit available for CVE-2025-6457?

Yes, a public proof-of-concept exploit is available for CVE-2025-6457. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6457?

Within 24 hours: Isolate affected systems from production if possible, confirm if your organization uses code-projects Online Hotel Reservation System 1.0, and implement WAF rules to block suspicious SQL syntax in the Start parameter. Within 7 days: Deploy network segmentation to restrict database access, conduct a security audit of reservation data for unauthorized access, and establish a communication plan for affected customers if compromise is detected. Within 30 days: Either upgrade to a patched version when available, replace the system with a hardened alternative, or implement compensating controls (input validation, parameterized queries at application layer) and perform penetration testing to validate mitigations.

PHP CVE-2025-6457

Q: What is the CVSS score of CVE-2025-6457?

CVE-2025-6457 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-18833 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-22 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18833

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

PoC Detected

Nov 13, 2025 - 15:23 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 04:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability, which was classified as critical, was found in code-projects Online Hotel Reservation System 1.0. This affects an unknown part of the file /reservation/demo.php. The manipulation of the argument Start leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6457 is a critical SQL injection vulnerability in code-projects Online Hotel Reservation System 1.0 affecting the /reservation/demo.php file, where the 'Start' parameter is unsanitized and directly used in database queries. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete sensitive database content including guest information, reservations, and payment data. The vulnerability has been publicly disclosed with exploit code available, though specific EPSS probability and KEV/CISA inclusion status cannot be determined from provided data.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output) in a PHP-based hotel reservation system. The /reservation/demo.php endpoint accepts user input via the 'Start' parameter without proper parameterized queries or input validation/sanitization. PHP applications using concatenated SQL strings or insufficient escaping (lacking prepared statements with bound parameters) are susceptible. The affected product is code-projects Online Hotel Reservation System version 1.0, typically CPE would be: cpe:2.3:a:code-projects:online_hotel_reservation_system:1.0:*:*:*:*:*:*:*. The root cause is the failure to neutralize SQL metacharacters before passing user input to database query constructors, allowing attackers to inject arbitrary SQL commands.

RemediationAI

Patching: Upgrade to a patched version above 1.0 if available. Check code-projects official repository or project page for security releases. NOTE: No specific patch version identified in provided data—vendor contact or security advisory required. Code-Level Mitigation: Replace all SQL string concatenation in /reservation/demo.php with prepared statements using parameterized queries (PHP mysqli_prepare() or PDO prepared statements). Example: Use $mysqli->prepare('SELECT * FROM reservations WHERE start_date = ?') with bound parameters instead of SELECT * FROM reservations WHERE start_date = ' . $_GET['Start'] . ' Input Validation: Implement strict whitelist validation on 'Start' parameter: validate date format (YYYY-MM-DD), range checks, and type enforcement before use in any query or output context. WAF/IDS Mitigation: Deploy Web Application Firewall (WAF) rules to block common SQL injection patterns in the Start parameter (e.g., detect single quotes, SQL keywords like UNION, OR, semicolons). This is a temporary measure pending patching. Access Control: Restrict access to /reservation/demo.php at network level if it is demo/development code that should not be production-facing. Consider moving to non-public testing environment.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-6457 vulnerability details – vuln.today

Back

PHP CVE-2025-6457

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code