CVE-2025-13075 – CVE-2025-13075 is an SQL injection vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2025-13075 is an SQL injection vulnerability in Responsive Hotel Site 1.0's admin/usersettingdel.php file that allows attackers to manipulate database queries via the 'eid' parameter. This affects all installations of the vulnerable software version. Remote exploitation is possible, potentially leading to unauthorized data access or manipulation.

💻 Affected Systems

Products:

Responsive Hotel Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable file present. Requires admin access path to be reachable.

📦 What is this software?

Responsive Hotel Site by Fabian

View all CVEs affecting Responsive Hotel Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including admin credential theft, data exfiltration, or complete system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive hotel guest data, booking information, or administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to the admin interface path. Public exploit code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates
2. If no patch available, implement workarounds
3. Consider migrating to alternative software

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to usersettingdel.php to sanitize eid input

Edit /admin/usersettingdel.php and add input validation before SQL query execution

Access Restriction

all

Restrict access to admin directory using web server configuration

Add 'Deny from all' to .htaccess in admin directory or equivalent for other web servers

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check if /admin/usersettingdel.php exists and contains unsanitized eid parameter in SQL queries

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Test eid parameter with SQL injection payloads and verify proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple failed login attempts to admin panel
Suspicious parameter values in eid field

Network Indicators:

SQL injection patterns in HTTP requests to usersettingdel.php
Unusual database query patterns from web server

SIEM Query:

web.url:*usersettingdel.php AND (web.param.eid:*OR* OR web.param.eid:*UNION* OR web.param.eid:*SELECT*)

📊 Metadata

CVE ID: CVE-2025-13075

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: November 12, 2025

Last Updated: November 17, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/zhizi1234/cve/blob/main/tmp69/tmp69/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.332206 Permissions Required,VDB Entry
https://vuldb.com/?id.332206 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.682856 Third Party Advisory,VDB Entry
https://github.com/zhizi1234/cve/blob/main/tmp69/tmp69/report.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13075, you might also want to check these: