CVE Alert: CVE-2025-11473 – SourceCodester – Hotel and Lodge Management System
CVE-2025-11473
A vulnerability has been found in SourceCodester Hotel and Lodge Management System 1.0. Affected is an unknown function of the file /edit_curr.php. Such manipulation of the argument currsymbol leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AI Summary Analysis
Risk verdict
High risk. Remote unauthenticated SQL injection with a PoC and automated exploitation available; patching should be treated as urgent.
Why this matters
Successful exploitation can exfiltrate or modify sensitive data, undermine data integrity, and disrupt operations in a hospitality management workflow. For a system used to manage bookings, guests, and finances, this can yield direct financial loss, regulatory exposure, and reputational damage.
Most likely attack path
An attacker remotely targets the edit_curr.php endpoint, supplying crafted currsymbol input to induce SQL injection. With no authentication required and network access possible, the attacker could read or alter database content and potentially escalate access within the application’s DB layer. The attack relies on unparameterised queries and poor input handling, with limited preconditions beyond reachable web app assets and standard user privileges.
Who is most exposed
Deployments of SourceCodester Hotel and Lodge Management System 1.0 that are publicly reachable (on-premises or hosted) and running on common web stacks are at highest risk. Small to mid-size hotels relying on this package, especially when not behind strict WAFs or network segmentation, are typical targets.
Detection ideas
- Anomalous requests to edit_curr.php with unusual or crafted currsymbol values.
- SQL error messages or evidence of database querying anomalies in web/app logs.
- spikes in failed or unusual database queries linked to the affected endpoint.
- WAF hits for SQLi patterns targeting the parameter.
- Indicators of data access anomalies or exfiltration patterns in DB logs.
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed version immediately.
- Implement parameterised queries and robust input validation on currsymbol.
- Deploy a Web Application Firewall with SQLi rules and monitor for related events.
- Restrict access to the application backend and enforce least-privilege DB accounts.
- Initiate change management: test fix in staging, then patch production; enable enhanced logging and alerting. If KEV true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
