CVE-2025-10788 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-10788?

CVE-2025-10788 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute SQL injection attacks on SourceCodester Online Hotel Reservation System 1.0 via the deleteroominventory.php file. Attackers can manipulate the ID parameter to potentially access, modify, or delete database content. Any organization using this specific hotel reservation system version is affected.

📋 TL;DR

This vulnerability allows remote attackers to execute SQL injection attacks on SourceCodester Online Hotel Reservation System 1.0 via the deleteroominventory.php file. Attackers can manipulate the ID parameter to potentially access, modify, or delete database content. Any organization using this specific hotel reservation system version is affected.

💻 Affected Systems

Products:

SourceCodester Online Hotel Reservation System

Versions: 1.0

Operating Systems: Any OS running PHP (typically Linux/Windows with web server)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific PHP implementation with the vulnerable deleteroominventory.php file. Requires PHP environment with database connectivity.

📦 What is this software?

Online Hotel Reservation System by Fabian

View all CVEs affecting Online Hotel Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including theft of sensitive guest information (personal data, payment details), reservation manipulation, system takeover, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized data access and modification of hotel reservation records, potential data exfiltration, and system disruption.

🟢

If Mitigated

Limited impact with proper input validation, database permissions, and network segmentation in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and the system is typically internet-facing for hotel reservations.

🏢 Internal Only: MEDIUM - If system is only internally accessible, risk is reduced but still significant if internal network is compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on GitHub. SQL injection typically requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider: 1. Check vendor website for updates 2. Implement parameterized queries in deleteroominventory.php 3. Add input validation for ID parameter 4. Apply web application firewall rules

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting deleteroominventory.php

# Example ModSecurity rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny,status:403"

Input Validation Filter

linux

Add PHP input validation to only accept numeric values for ID parameter

<?php
if (!is_numeric($_GET['id'])) {
    http_response_code(400);
    exit('Invalid ID');
}
?>

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation to restrict database access from web server

🔍 How to Verify

Check if Vulnerable:

Test by sending SQL injection payloads to deleteroominventory.php?id parameter (e.g., id=1' OR '1'='1). Monitor for database errors or unexpected responses.

Check Version:

Check PHP files for version comments or examine system documentation. Typically found in readme files or configuration files.

Verify Fix Applied:

Attempt SQL injection tests after implementing fixes. Verify no database errors are returned and input validation rejects malicious payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed requests to deleteroominventory.php
SQL syntax errors in web server logs
Unusual database access patterns

Network Indicators:

HTTP requests with SQL keywords in URL parameters
Repeated requests to deleteroominventory.php with varying ID parameters
Outbound database connections from web server

SIEM Query:

source="web_logs" AND uri="*deleteroominventory.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR*1*" OR query="*--*" OR query="*;*" OR query="*'*'*'")

📊 Metadata

CVE ID: CVE-2025-10788

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: September 22, 2025

Last Updated: September 25, 2025

🔗 References

https://github.com/peri0d/my_cve/blob/main/Online-Hotel-Reservation-System-In-PHP-With-Source-Code-deleteroominventory.php-sql-injection.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.325145 Permissions Required,VDB Entry
https://vuldb.com/?id.325145 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.653877 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product
https://github.com/peri0d/my_cve/blob/main/Online-Hotel-Reservation-System-In-PHP-With-Source-Code-deleteroominventory.php-sql-injection.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10788, you might also want to check these: