CVE-2025-1963

HighPublic PoC

Published: 05 March 2025

Published

05 March 2025

Modified

02 April 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 14.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1963 is a high-severity Injection (CWE-74) vulnerability in Projectworlds Online Hotel Booking. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs like the 'checkin' parameter, directly preventing SQL injection attacks by rejecting or sanitizing malicious payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of identified flaws, directly addressing the SQL injection vulnerability in /reservation.php through patching or code fixes.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 involves vulnerability scanning that can identify SQL injection flaws like CVE-2025-1963 in web applications prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app (/reservation.php) enables exploitation of public-facing application (T1190), abuse of server software component (T1505), and data collection from databases via queries like --dbs (T1213.006).

NVD Description

A vulnerability was found in projectworlds Online Hotel Booking 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /reservation.php. The manipulation of the argument checkin leads to sql injection. The attack can be initiated…

remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-1963 is a critical SQL injection vulnerability (CWE-74, CWE-89) in projectworlds Online Hotel Booking version 1.0. The flaw affects unknown code within the /reservation.php file, where manipulation of the 'checkin' argument enables injection of malicious SQL queries. Published on 2025-03-05, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via injected SQL payloads. An exploit has been publicly disclosed and may be in use.

Advisories and details are available via VulDB entries (ctiid.298564, id.298564, submit.511466) and a GitHub issue at ubfbuz3/cve/issues/2, which include the disclosed exploit. No specific patches or mitigations are detailed in the core description, so security practitioners should review these references for updates, such as applying input sanitization or upgrading the software.

Details

CWE(s): CWE-74 CWE-89

Affected Products

projectworlds

online hotel booking

1.0

CVEs Like This One

CVE-2025-1962Same product: Projectworlds Online Hotel Booking

CVE-2025-1965Same product: Projectworlds Online Hotel Booking

CVE-2025-1964Same product: Projectworlds Online Hotel Booking

CVE-2025-2066Same vendor: Projectworlds

CVE-2025-8471Same vendor: Projectworlds

CVE-2025-2064Same vendor: Projectworlds

CVE-2025-2063Same vendor: Projectworlds

CVE-2025-2657Same vendor: Projectworlds

CVE-2025-2661Same vendor: Projectworlds

CVE-2025-2662Same vendor: Projectworlds

References

https://github.com/ubfbuz3/cve/issues/2
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.298564
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.298564
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.511466
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/ubfbuz3/cve/issues/2
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0