CVE Alert: CVE-2025-10623 – SourceCodester – Hotel Reservation System

Risk verdict

High risk: remote SQL injection with publicly available exploit; no authentication required, so prompt action is advised.

Why this matters

Attackers could access, modify, or exfiltrate data tied to reservations, potentially exposing PII and disrupting operations. The public exploit lowers barriers for automated abuse across exposed deployments.

Most likely attack path

An unauthenticated actor targets deleteuser.php via the ID parameter, triggering an injection in the backend query. With network access and low complexity, data leakage, record modification, or service impact within the app’s database is possible, and no user interaction is required. Scope remains within the vulnerable component unless broader DB access exists.

Who is most exposed

Internet-facing installations of SourceCodester Hotel Reservation System 1.0, especially in small to medium organisations running common LAMP stacks.

Detection ideas

• Look for unusual or repeated requests to deleteuser.php with crafted ID inputs.
• Monitor web/app logs for SQL syntax errors or database error codes.
• IDS/WAF alerts matching SQLi patterns or PoC indicators.
• Anomalous data access around user or booking records.
• Unscheduled data transfers or spikes in DB query latency tied to the endpoint.

Mitigation and prioritisation

• Patch or upgrade to a fixed version; if not feasible, apply compensating controls. Treat as priority 2.
• Enforce parameterised queries and input validation; implement least-privilege DB accounts.
• Restrict or disable direct access to deleteuser.php (IP allowlists, authentication).
• Deploy WAF/IDS rules specific to SQLi; tighten logging and alerting for this endpoint.
• Plan patching in the next maintenance window with backups and post-fix validation.