CVE-2025-12856 – CVE-2025-12856 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-12856?

CVE-2025-12856 has a CVSS score of 4.7 (MEDIUM). CVE-2025-12856 is a SQL injection vulnerability in Responsive Hotel Site 1.0's reservation.php admin endpoint. Attackers can manipulate the email parameter to execute arbitrary SQL commands remotely. This affects all installations of Responsive Hotel Site 1.0 with the vulnerable admin interface exposed.

📋 TL;DR

CVE-2025-12856 is a SQL injection vulnerability in Responsive Hotel Site 1.0's reservation.php admin endpoint. Attackers can manipulate the email parameter to execute arbitrary SQL commands remotely. This affects all installations of Responsive Hotel Site 1.0 with the vulnerable admin interface exposed.

💻 Affected Systems

Products:

Responsive Hotel Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin/reservation.php endpoint to be accessible. Default installations are vulnerable.

📦 What is this software?

Responsive Hotel Site by Fabian

View all CVEs affecting Responsive Hotel Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data exfiltration, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, modification of reservation records, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the admin interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to the admin interface but no authentication bypass. Public exploit code is available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or proper input sanitization to the email parameter in reservation.php

Modify /admin/reservation.php to use prepared statements with PDO or mysqli

Access Restriction

linux

Restrict access to the admin interface using IP whitelisting or authentication

Add .htaccess rules to restrict /admin/ directory to specific IPs

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules
Disable or remove the /admin/reservation.php endpoint if not needed

🔍 How to Verify

Check if Vulnerable:

Test the /admin/reservation.php endpoint with SQL injection payloads in the email parameter

Check Version:

Check the software version in the application's configuration or about page

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and proper input validation is in place

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin interface
Suspicious email parameter values in web logs

Network Indicators:

SQL injection patterns in HTTP requests to /admin/reservation.php
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/reservation.php" AND (email="*' OR*" OR email="*;--*" OR email="*UNION*" OR email="*SELECT*" OR email="*INSERT*")

📊 Metadata

CVE ID: CVE-2025-12856

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: November 7, 2025

Last Updated: November 17, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/AmengDream/CVE/blob/main/Responsive_Hotel_Site/reservation-sql-injection/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.331502 Permissions Required,VDB Entry
https://vuldb.com/?id.331502 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.679744 Third Party Advisory,VDB Entry
https://github.com/AmengDream/CVE/blob/main/Responsive_Hotel_Site/reservation-sql-injection/report.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12856, you might also want to check these: