CVE-2025-12913 – CVE-2025-12913 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-12913?

CVE-2025-12913 has a CVSS score of 4.7 (MEDIUM). CVE-2025-12913 is a SQL injection vulnerability in Responsive Hotel Site 1.0 that allows remote attackers to manipulate database queries through the ID parameter in /admin/roomdel.php. This affects all users running the vulnerable version of this hotel management software. Attackers could potentially read, modify, or delete database content.

📋 TL;DR

CVE-2025-12913 is a SQL injection vulnerability in Responsive Hotel Site 1.0 that allows remote attackers to manipulate database queries through the ID parameter in /admin/roomdel.php. This affects all users running the vulnerable version of this hotel management software. Attackers could potentially read, modify, or delete database content.

💻 Affected Systems

Products:

Responsive Hotel Site

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin interface to be accessible. The vulnerability is in the room deletion functionality.

📦 What is this software?

Responsive Hotel Site by Fabian

View all CVEs affecting Responsive Hotel Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or complete system takeover if database credentials allow privileged access.

🟠

Likely Case

Unauthorized data access and potential data modification in the hotel management database, affecting guest records, bookings, and system configuration.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, potentially only allowing data reading from specific tables.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web-accessible admin functionality.

🏢 Internal Only: MEDIUM - While still exploitable internally, attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to admin interface but no authentication bypass is mentioned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in /admin/roomdel.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to ensure ID parameter contains only numeric values

Modify /admin/roomdel.php to validate ID parameter: if(!is_numeric($_GET['ID'])) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns targeting /admin/roomdel.php

WAF rule: Block requests to /admin/roomdel.php containing SQL keywords in ID parameter

🧯 If You Can't Patch

Restrict access to /admin/ directory using IP whitelisting or authentication
Implement database user with minimal permissions (read-only where possible)

🔍 How to Verify

Check if Vulnerable:

Test /admin/roomdel.php?ID=1' OR '1'='1 and observe if SQL error or unexpected behavior occurs

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Test with malicious inputs and verify proper error handling or rejection occurs

📡 Detection & Monitoring

Log Indicators:

Multiple failed SQL queries in web server logs
Unusual access patterns to /admin/roomdel.php
SQL error messages in application logs

Network Indicators:

HTTP requests to /admin/roomdel.php with SQL injection payloads in parameters
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/roomdel.php" AND (param="ID" AND value MATCHES "'.*OR.*|'.*AND.*|'.*UNION.*")

📊 Metadata

CVE ID: CVE-2025-12913

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: November 8, 2025

Last Updated: November 17, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/HoyaAm/cve-hoya/blob/main/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.331631 Permissions Required,VDB Entry
https://vuldb.com/?id.331631 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.681061 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12913, you might also want to check these: