CVE Alert: CVE-2025-10843 – Reservation – Online Hotel Reservation System
CVE-2025-10843
A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
AI Summary Analysis
Risk verdict
High severity, remotely exploitable SQL injection on the Paypal payout endpoint that requires no authentication; public exploit increases the likelihood of rapid abuse.
Why this matters
Compromise could expose or alter reservation and payment data, with potential financial and reputational impact for affected properties. Even with low-perceived CIA impact, an attacker could read or tamper sensitive records and potentially disrupt bookings or payouts if routinely targeted.
Most likely attack path
Attacker sends crafted input to /reservation/paypalpayout.php via the confirm parameter over the network, exploiting a SQL injection flaw. No user interaction or privileges are required, and the attacker can operate remotely against an internet-facing deployment; successful exploitation may lead to data exposure or modification with limited available controls within the application.
Who is most exposed
Any internet-facing installations of Reservation Online Hotel Reservation System 1.0 are at risk, particularly smaller hotels or MSP-hosted deployments running PHP with direct DB access and minimal input sanitisation.
Detection ideas
- Unexpected or malformed SQL patterns in traffic to paypalpayout.php (confirm parameter).
- Database errors or stack traces revealed in HTTP responses or logs.
- Anomalous query activity or data reads from the reservations/payments tables.
- spikes in requests to the endpoint from diverse IPs without user sessions.
- WAF signatures flagging SQLi-like payloads targeting PHP endpoints.
Mitigation and prioritisation
- Patch or upgrade to a non-affected version; apply vendor-provided fix immediately.
- Implement input validation and use parameterised queries/prepared statements; avoid dynamic SQL.
- Restrict DB user privileges for web app accounts (least privilege, separate DB user for app).
- Disable detailed error messages and tighten application logging; centralise and monitor for SQLi indicators.
- Validate change control and test in staging before production; monitor for PoC activity.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. If not, treat as high-priority with accelerated remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
