CVE-2025-11402 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-11402?

CVE-2025-11402 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows remote attackers to execute arbitrary SQL commands via the ID parameter in the /del_curr.php file of SourceCodester Hotel and Lodge Management System 1.0, potentially leading to data theft, manipulation, or system compromise. It affects all users running the vulnerable version of this software, particularly those with internet-facing deployments.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary SQL commands via the ID parameter in the /del_curr.php file of SourceCodester Hotel and Lodge Management System 1.0, potentially leading to data theft, manipulation, or system compromise. It affects all users running the vulnerable version of this software, particularly those with internet-facing deployments.

💻 Affected Systems

Products:

SourceCodester Hotel and Lodge Management System

Versions: 1.0

Operating Systems: Any OS running the software (e.g., Windows, Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the default installation; no special configuration is required for exploitation.

📦 What is this software?

Hotel And Lodge Management System by Nikhil Bhalerao

View all CVEs affecting Hotel And Lodge Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise, including unauthorized access, data deletion, or remote code execution if database privileges allow.

🟠

Likely Case

Data exfiltration or manipulation of hotel/lodge management data, such as guest records or booking information.

🟢

If Mitigated

Limited impact if input validation or WAF blocks malicious SQL payloads, but risk remains if not patched.

🌐 Internet-Facing: HIGH, as the exploit can be performed remotely without authentication, making internet-facing instances prime targets.

🏢 Internal Only: MEDIUM, as internal attackers or malware could exploit it, but requires network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed, making it easy for attackers to craft SQL injection payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified by vendor

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

Check the vendor website for updates or patches; if unavailable, apply workarounds or consider alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to sanitize the ID parameter in /del_curr.php, rejecting malicious SQL characters.

Modify PHP code to use prepared statements or parameterized queries for database interactions.

Web Application Firewall (WAF) Rules

all

Deploy a WAF to block SQL injection attempts targeting the /del_curr.php endpoint.

Configure WAF rules to detect and block patterns like ' OR '1'='1' or UNION SELECT in requests.

🧯 If You Can't Patch

Restrict network access to the system, allowing only trusted IPs to reduce exposure.
Monitor logs for unusual SQL queries or access attempts to /del_curr.php and implement intrusion detection.

🔍 How to Verify

Check if Vulnerable:

Test the /del_curr.php endpoint with a SQL injection payload (e.g., ID=1' OR '1'='1) and check for database errors or unexpected responses.

Check Version:

Check the software version in the admin panel or configuration files; default is 1.0.

Verify Fix Applied:

After applying fixes, retest with the same payload; successful fixes should return an error message or no data leakage.

📡 Detection & Monitoring

Log Indicators:

Log entries showing SQL syntax errors or unusual database queries from /del_curr.php requests.

Network Indicators:

HTTP requests to /del_curr.php with SQL keywords (e.g., UNION, SELECT, OR) in parameters.

SIEM Query:

source="/var/log/apache2/access.log" AND uri="/del_curr.php" AND (param="ID" AND value MATCHES "'.*OR.*'" OR value MATCHES ".*UNION.*SELECT.*")

📊 Metadata

CVE ID: CVE-2025-11402

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 7, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/TThuyyy/cve1/issues/10 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.327339 Permissions Required,VDB Entry
https://vuldb.com/?id.327339 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.665098 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product
https://github.com/TThuyyy/cve1/issues/10 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11402, you might also want to check these: