High severity7.3NVD Advisory· Published Sep 17, 2025· Updated Apr 29, 2026

CVE-2025-10623

Description

A vulnerability was identified in SourceCodester Hotel Reservation System 1.0. The impacted element is an unknown function of the file deleteuser.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SourceCodester Hotel Reservation System 1.0 is vulnerable to unauthenticated SQL injection in deleteuser.php, allowing remote attackers to compromise the database.

Overview

The SourceCodester Hotel Reservation System version 1.0 contains a SQL injection vulnerability in the deleteuser.php file [1]. The root cause is insufficient validation of the id parameter, which is directly concatenated into SQL queries without sanitization [1]. This bug allows an attacker to inject arbitrary SQL code through the id argument [1].

Exploitation

The vulnerability can be exploited remotely without any authentication or authorization [1]. The id parameter is the attack surface, and the vulnerability type is time-based blind SQL injection [1]. This means an attacker can send crafted payloads via HTTP requests to the deleteuser.php endpoint to extract information even without visible error output [1].

Impact

Successful exploitation grants an attacker unauthorized access to the underlying database [1]. Potential consequences include data leakage, modification or deletion of sensitive records, and, in worst cases, full system compromise or service interruption [1]. The vendor homepage is referenced as sourcecodester.com [2], but no patch has been publicly released.

Mitigation

As of the publication date (2025-09-17), no fix has been provided by the vendor [1]. Users of the affected product should treat the system as compromised, apply input sanitization to the id parameter, and consider isolating the application until a patch is available.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Online Hotel Reservation Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/aCas1o/cve_report02/blob/main/report.mdnvdExploitThird Party Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry
www.sourcecodester.comnvdProduct

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-10623