CVE Alert: CVE-2025-11470 – SourceCodester – Hotel and Lodge Management System
CVE-2025-11470
A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
Elevated risk due to an unrestricted upload vulnerability with a publicly disclosed exploit and a PoC available, enabling remote opportunities under the right context.
Why this matters
Unrestricted uploads can lead to remote code execution or web shell deployment, exposing guest and financial data and enabling defacement or further compromise. For hotel and lodge management systems, this expands the attack surface to bookings, payments, and personal data, with potential regulatory and reputational damage if data is exfiltrated or altered.
Most likely attack path
An attacker with administrative or highly privileged access can manipulate the upload parameter (website_image/back_login_image) via the affected script to introduce executable content. The vulnerability is network-accessible and does not require user interaction, so an exposed admin interface greatly accelerates compromise; once code execution is achieved, lateral movement is likely limited to the host but could enable data access or credential exposure if app storage is misconfigured.
Who is most exposed
Deployments that expose the admin web interface to the internet or rely on self-hosted SourceCodester installations are most at risk, especially where access controls are weak or misconfigured.
Detection ideas
- Alerts for file upload attempts to manage_website.php with unusual payloads.
- PHP or web-shell signatures appearing in the upload directory.
- Access logs showing remote upload attempts via website_image/back_login_image.
- New executable files in web-accessible upload paths.
- Repeated login failures or anomalous admin access activity.
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed version; verify integrity.
- Disable unrestricted uploads; implement allowlists and strict content-type/file-type checks.
- Store uploads outside the web root; disable execution of uploaded content; apply per-file permissions.
- Enforce strong authentication (MFA) for admin endpoints; rotate credentials; audit access.
- Implement WAF rules to block suspicious upload patterns; perform thorough testing in staging before redeploy.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
