CVE-2025-13076 – CVE-2025-13076 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-13076?

CVE-2025-13076 has a CVSS score of 4.7 (MEDIUM). CVE-2025-13076 is an SQL injection vulnerability in Responsive Hotel Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'usname' parameter in /admin/usersetting.php. This affects all installations of Responsive Hotel Site 1.0 that have the vulnerable file accessible. Attackers can potentially read, modify, or delete database content.

📋 TL;DR

CVE-2025-13076 is an SQL injection vulnerability in Responsive Hotel Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'usname' parameter in /admin/usersetting.php. This affects all installations of Responsive Hotel Site 1.0 that have the vulnerable file accessible. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:

Responsive Hotel Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation. The /admin/usersetting.php file must be accessible via web requests.

📦 What is this software?

Responsive Hotel Site by Fabian

View all CVEs affecting Responsive Hotel Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or complete system takeover if database permissions allow file system access or command execution.

🟠

Likely Case

Unauthorized data access, modification of user accounts, or extraction of sensitive information like passwords and personal data.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, with database running with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to the admin interface but not necessarily authentication if other vulnerabilities exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement input validation and parameterized queries in /admin/usersetting.php. Sanitize all user inputs before database queries.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize the 'usname' parameter before processing

Edit /admin/usersetting.php to add input validation using prepared statements or parameterized queries

Access Restriction

all

Restrict access to /admin/usersetting.php to authorized users only

Add authentication check at the beginning of /admin/usersetting.php
Implement IP whitelisting for admin access

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns targeting the 'usname' parameter
Restrict network access to the admin interface using firewall rules or VPN access only

🔍 How to Verify

Check if Vulnerable:

Test the /admin/usersetting.php endpoint with SQL injection payloads in the 'usname' parameter. Monitor for database errors or unexpected responses.

Check Version:

Check the software version in the application's admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection attacks against the patched endpoint. Verify no database errors are returned and input is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin interface
Requests to /admin/usersetting.php with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in parameters
Unusual traffic patterns to admin endpoints

SIEM Query:

source="web_logs" AND (uri="/admin/usersetting.php" AND (param="usname" AND value MATCH "'.*[Ss][Ee][Ll][Ee][Cc][Tt].*'"))

📊 Metadata

CVE ID: CVE-2025-13076

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: November 12, 2025

Last Updated: November 17, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/zhizi1234/cve/blob/main/tmp70/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.332207 Permissions Required,VDB Entry
https://vuldb.com/?id.332207 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.682867 Third Party Advisory,VDB Entry
https://github.com/zhizi1234/cve/blob/main/tmp70/report.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13076, you might also want to check these: