CVE-2025-14710 – This SQL injection vulnerability in FantasticLB... (How to Fix)

Q: What is the severity of CVE-2025-14710?

CVE-2025-14710 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in FantasticLBP Hotels Server allows attackers to execute arbitrary SQL commands by manipulating the 'telephone' parameter in the OrderList.php API endpoint. The vulnerability affects all versions up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0, and exploitation can occur remotely without authentication.

📋 TL;DR

This SQL injection vulnerability in FantasticLBP Hotels Server allows attackers to execute arbitrary SQL commands by manipulating the 'telephone' parameter in the OrderList.php API endpoint. The vulnerability affects all versions up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0, and exploitation can occur remotely without authentication.

💻 Affected Systems

Products:

FantasticLBP Hotels Server

Versions: All versions up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0

Operating Systems: Any OS running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: The product uses rolling releases, making specific version tracking difficult. All installations using the vulnerable code are affected.

📦 What is this software?

Hotels Server by Fantasticlbp

View all CVEs affecting Hotels Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration of sensitive hotel information (guest data, reservations, payment details) and potential database corruption.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place, though SQL injection attempts may still be logged.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects an API endpoint that is typically internet-facing for hotel booking systems.

🏢 Internal Only: MEDIUM - Even if not internet-facing, internal attackers or compromised systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond to disclosure

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the telephone parameter to only accept expected formats

Modify /controller/api/OrderList.php to validate telephone parameter format before processing

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns targeting the OrderList.php endpoint

Add WAF rule: deny requests to /controller/api/OrderList.php containing SQL keywords in telephone parameter

🧯 If You Can't Patch

Isolate the affected server behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Test the /controller/api/OrderList.php endpoint with SQL injection payloads in the telephone parameter (e.g., telephone=1' OR '1'='1)

Check Version:

Check git commit hash: git log --oneline -1

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Requests to OrderList.php with SQL keywords in parameters

Network Indicators:

Unusual outbound database connections from web server
Large data transfers from database server

SIEM Query:

source="web_logs" AND uri="/controller/api/OrderList.php" AND (telephone CONTAINS "UNION" OR telephone CONTAINS "SELECT" OR telephone CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2025-14710

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (12th percentile)

Published: December 15, 2025

Last Updated: March 5, 2026

🔗 References

https://github.com/navex2/CVE/issues/3 Exploit,Issue Tracking,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.336427 Permissions Required,VDB Entry
https://vuldb.com/?id.336427 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.707082 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14710, you might also want to check these: