EUVD-2025-21352

| CVE-2025-7611 HIGH
2025-07-14 [email protected]
PHP SQLi Wedding Reservation
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21352
PoC Detected
Jul 15, 2025 - 18:08 vuln.today
Public exploit code
CVE Published
Jul 14, 2025 - 15:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in code-projects Wedding Reservation 1.0. It has been classified as critical. This affects an unknown part of the file /global.php. The manipulation of the argument lu leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7611 is a critical SQL injection vulnerability in code-projects Wedding Reservation version 1.0, affecting the /global.php file's 'lu' parameter. Remote unauthenticated attackers can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, significantly increasing real-world exploitation risk.

Technical ContextAI

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as SQL injection through insufficient input validation/sanitization. The /global.php file in Wedding Reservation 1.0 fails to properly escape or parameterize the 'lu' parameter before incorporating it into SQL queries. The attack vector is network-based with no authentication required (PR:N) and low attack complexity (AC:L), meaning standard SQL injection techniques (UNION-based, time-based blind, or error-based) are likely viable. The affected product is code-projects Wedding Reservation version 1.0, a web-based reservation management application written in PHP.

RemediationAI

Immediate actions: (1) Identify all instances of Wedding Reservation 1.0 in production and take offline if possible or restrict network access; (2) Apply vendor patches if available (check code-projects repository or official advisories for patched versions); (3) If patches unavailable, implement Web Application Firewall (WAF) rules to block SQL injection payloads in the 'lu' parameter (common patterns: UNION, SELECT, OR 1=1, SLEEP(), BENCHMARK()); (4) Force parameterized queries/prepared statements in /global.php for all database interactions; (5) Conduct emergency code review of global.php and similar entry points; (6) Implement input validation (whitelist allowed characters for 'lu') and output encoding; (7) Monitor database logs for suspicious queries. Long-term: upgrade to a maintained reservation system or require immediate vendor security updates before continued use.

Share

EUVD-2025-21352 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy