CVE-2025-11399 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-11399?

CVE-2025-11399 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows attackers to manipulate database queries through the 'floorno' parameter in /pages/save_room.php. Remote attackers can potentially read, modify, or delete database content. All users running the vulnerable version are affected.

📋 TL;DR

This SQL injection vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows attackers to manipulate database queries through the 'floorno' parameter in /pages/save_room.php. Remote attackers can potentially read, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

SourceCodester Hotel and Lodge Management System

Versions: 1.0

Operating Systems: Any OS running PHP/MySQL

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0 with the vulnerable file present.

📦 What is this software?

Hotel And Lodge Management System by Nikhil Bhalerao

View all CVEs affecting Hotel And Lodge Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or system takeover via SQL injection to execute arbitrary commands.

🟠

Likely Case

Unauthorized data access, manipulation of hotel/lodge records, or partial database corruption.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

PHP

Modify /pages/save_room.php to validate 'floorno' parameter and use prepared statements.

Edit save_room.php to replace direct SQL with parameterized queries using PDO or mysqli prepared statements

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Configure WAF to block requests containing SQL injection patterns to /pages/save_room.php

🧯 If You Can't Patch

Restrict network access to the management system to trusted IPs only
Implement database user with minimal necessary permissions (read-only where possible)

🔍 How to Verify

Check if Vulnerable:

Test the /pages/save_room.php endpoint with SQL injection payloads in the 'floorno' parameter

Check Version:

Check system version in admin panel or review source code for version markers

Verify Fix Applied:

Attempt SQL injection after implementing fixes and verify no database manipulation occurs

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts following SQL injection patterns
Unexpected database queries from save_room.php

Network Indicators:

HTTP requests to /pages/save_room.php with SQL keywords in parameters
Unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="/pages/save_room.php" AND (param="floorno" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2025-11399

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 7, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/bdrfly/cve/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.327336 Permissions Required,VDB Entry
https://vuldb.com/?id.327336 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.665055 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product
https://github.com/bdrfly/cve/issues/2 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11399, you might also want to check these: