CVE-2025-1965
Published: 05 March 2025
Summary
CVE-2025-1965 is a high-severity Injection (CWE-74) vulnerability in Projectworlds Online Hotel Booking. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing the emailusername input in the /admin/login.php function.
Ensures timely identification, reporting, and patching of the SQL injection flaw in the vulnerable login endpoint.
Detects the SQL injection vulnerability through regular vulnerability scanning of the affected application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing web application (/admin/login.php) enables exploitation of public-facing applications (T1190) and collection of data from backend databases (T1213.006) via query manipulation, data dumping, and enumeration as demonstrated in POC.
NVD Description
A vulnerability classified as critical has been found in projectworlds Online Hotel Booking 1.0. Affected is an unknown function of the file /admin/login.php. The manipulation of the argument emailusername leads to sql injection. It is possible to launch the attack…
more
remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1965 is a critical SQL injection vulnerability in projectworlds Online Hotel Booking version 1.0. The issue affects an unknown function within the /admin/login.php file, where manipulation of the emailusername argument enables SQL injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-05.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, low attack complexity, and no user interaction needed. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads in the login process.
Advisories and details are documented in sources including VulDB entries (ctiid.298566, id.298566, submit.511473) and a GitHub issue at ubfbuz3/cve/issues/4. The exploit has been publicly disclosed and may be used by attackers.
Notable context includes the public availability of the exploit, increasing the risk for unpatched instances of the affected software.
Details
- CWE(s)