CVE-2025-1963 – This critical SQL injection vulnerability in Pr... (How to Fix)

Q: What is the severity of CVE-2025-1963?

CVE-2025-1963 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in Projectworlds Online Hotel Booking 1.0 allows remote attackers to execute arbitrary SQL commands via the 'checkin' parameter in reservation.php. This can lead to unauthorized data access, modification, or deletion. Any organization using this software is affected.

📋 TL;DR

This critical SQL injection vulnerability in Projectworlds Online Hotel Booking 1.0 allows remote attackers to execute arbitrary SQL commands via the 'checkin' parameter in reservation.php. This can lead to unauthorized data access, modification, or deletion. Any organization using this software is affected.

💻 Affected Systems

Products:

Projectworlds Online Hotel Booking

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with reservation.php accessible is vulnerable. No special configuration required.

📦 What is this software?

Online Hotel Booking by Projectworlds

View all CVEs affecting Online Hotel Booking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data exfiltration, privilege escalation, and potential system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive booking data, customer information theft, and potential database manipulation or destruction.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via a web interface accessible from the internet.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if accessible within the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the checkin parameter to only accept valid date formats

Modify reservation.php to validate checkin parameter using PHP filter functions or regex patterns

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection attempts targeting the checkin parameter

Add WAF rule: Block requests with SQL keywords in checkin parameter

🧯 If You Can't Patch

Remove or disable reservation.php file if not essential
Implement network segmentation to isolate the booking system from critical databases

🔍 How to Verify

Check if Vulnerable:

Test the checkin parameter in reservation.php with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Verify that SQL injection payloads no longer work and return proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple failed login attempts following SQL injection patterns
Unexpected database queries from web application

Network Indicators:

HTTP requests with SQL keywords in checkin parameter
Unusual database traffic patterns from web server

SIEM Query:

source="web_logs" AND ("checkin" AND ("OR", "UNION", "SELECT", "--", "'"))

📊 Metadata

CVE ID: CVE-2025-1963

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.14% exploit probability (33.9th percentile)

Published: March 5, 2025

Last Updated: April 2, 2025

🔗 References

https://github.com/ubfbuz3/cve/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.298564 Permissions Required,VDB Entry
https://vuldb.com/?id.298564 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.511466 Third Party Advisory,VDB Entry
https://github.com/ubfbuz3/cve/issues/2 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1963, you might also want to check these: