CVE-2025-0230

MediumPublic PoC

Published: 05 January 2025

Published

05 January 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 21.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0230 is a medium-severity Injection (CWE-74) vulnerability in Fabian Responsive Hotel Site. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by validating the 'pid' argument in /admin/print.php against malicious input.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification, reporting, and correction of the specific SQL injection flaw in Responsive Hotel Site 1.0.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 enables vulnerability scanning to detect the SQL injection vulnerability in /admin/print.php as a known CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

SQL injection in /admin/print.php enables exploitation of public-facing web applications (T1190), abuse of server software components for malicious SQL execution (T1505), and collection of data from databases via UNION queries (T1213.006).

NVD Description

A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file /admin/print.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the…

attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-0230 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Responsive Hotel Site 1.0. The flaw resides in an unknown function within the file /admin/print.php, where manipulation of the "pid" argument enables SQL injection. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-05.

Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, but it necessitates low privileges such as a standard authenticated user account. Successful exploitation allows limited impacts, including partial unauthorized disclosure of sensitive data (C:L), minor manipulation of data or configuration (I:L), and limited denial of service (A:L).

VulDB advisories (ctiid.290226, id.290226) and related submissions detail the issue, while a GitHub repository at Huandtx/cve contains a public proof-of-concept exploit in sql1.md. The code-projects.org vendor page is referenced, but no specific patches or mitigations are outlined in the disclosure. Security practitioners should monitor these sources for updates and apply input sanitization or access controls to the affected endpoint as interim measures. The exploit has been publicly disclosed and may be in use.

Details

CWE(s): CWE-74 CWE-89

Affected Products

fabian

responsive hotel site

1.0

CVEs Like This One

CVE-2025-2391Same vendor: Fabian

CVE-2025-2985Same vendor: Fabian

CVE-2025-2854Same vendor: Fabian

CVE-2025-1197Same vendor: Fabian

CVE-2025-0229Same vendor: Fabian

CVE-2025-2389Same vendor: Fabian

CVE-2025-2419Same vendor: Fabian

CVE-2025-2384Same vendor: Fabian

CVE-2025-7166Same vendor: Fabian

CVE-2025-2984Same vendor: Fabian

References

https://code-projects.org/
Product · cna@vuldb.com
https://github.com/Huandtx/cve/blob/main/cve/Responsive%20Hotel%20Site/sql1.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.290226
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290226
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.474581
Third Party Advisory, VDB Entry · cna@vuldb.com