CVE Alert: CVE-2025-11479 – SourceCodester – Wedding Reservation Management System
CVE-2025-11479
A security vulnerability has been detected in SourceCodester Wedding Reservation Management System 1.0. Impacted is the function insertReservation of the file function.php. Such manipulation of the argument number leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection with publicly disclosed PoC allows unauthenticated access to manipulate the database.
Why this matters
The vulnerability enables attackers to read, modify or delete data and potentially disrupt bookings, undermining trust and service availability. With no user interaction or privileges required, automated exploitation could scale across exposed instances, especially where automated deployments are common.
Most likely attack path
An attacker can directly supply crafted input to the insertion endpoint in the vulnerable PHP code, triggering a SQL injection without authentication. The lack of user interaction and network-only access means rapid automated exploitation is plausible, risking data confidentiality, integrity and availability on the backend DB. If the app uses a single DB user with broad rights, the impact widens to potential data exposure or full data compromise.
Who is most exposed
Web deployments of self-hosted PHP apps that expose the insertion functionality publicly are most at risk, especially in small to mid-sized organisations with default DB credentials or insufficient input sanitisation.
Detection ideas
- High volume or unusual error messages in application or DB logs indicating SQL syntax errors from input fields.
- Excessive POST requests to the insertion endpoint with atypical numeric payloads or SQL-like patterns.
- WAF alerts for SQL injection signatures targeting the number parameter or similar input.
- Anomalous data changes or log entries showing unexpected reservation records.
- Increased DB query latency tied to the vulnerable endpoint.
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed version immediately.
- Implement parameterised queries/prepared statements for all inputs; avoid string-concatenated SQL.
- Enforce least-privilege DB accounts and separate application and DB layers; restrict network access where feasible.
- Add input validation and server-side sanitisation for all parameters, especially numeric inputs used in queries.
- Enable SQL query auditing and deploy targeted WAF rules; schedule patching with a test plan.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
