Login Sign Up

CVE-2025-11479

7.3 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in SourceCodester Wedding Reservation Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'number' parameter in the insertReservation function. This can lead to data theft, modification, or deletion. Organizations using this specific wedding reservation system version are affected.

💻 Affected Systems

Products:
  • SourceCodester Wedding Reservation Management System
Versions: 1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the vulnerable function.php file and insertReservation function exposed.

📦 What is this software?

Wedding Reservation Management System by Janobe

View all CVEs affecting Wedding Reservation Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive customer data (wedding details, personal information), system takeover, and potential lateral movement to other systems.

🟠

Likely Case

Data exfiltration of wedding reservation records, customer personal information, and potential injection of malicious content into the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only affecting non-sensitive data tables.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub, SQL injection is a well-understood attack vector with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation in function.php insertReservation function.

🔧 Temporary Workarounds

Input Validation Workaround

all

Add input validation for the 'number' parameter to only accept expected values

Edit function.php and add validation before SQL execution

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database queries

🔍 How to Verify

Check if Vulnerable:

Check if function.php contains insertReservation function without proper input validation for 'number' parameter

Check Version:

Check system version in admin panel or configuration files

Verify Fix Applied:

Test the reservation functionality with SQL injection payloads to ensure they are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed reservation attempts with SQL syntax

Network Indicators:

  • HTTP requests with SQL injection payloads to reservation endpoints

SIEM Query:

source="web_logs" AND (url="*function.php*" OR url="*insertReservation*") AND (payload="*UNION*" OR payload="*SELECT*" OR payload="*INSERT*")

📊 Metadata

CVE ID: CVE-2025-11479
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (15.4th percentile)
Published: October 8, 2025
Last Updated: October 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11479, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)