← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-0230 · CWE-74 · Disclosed 2025-01-05

A vulnerability

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a bad lock on a storage closet, not an open vault on the sidewalk

CVE-2025-0230 is a SQL injection flaw in code-projects Responsive Hotel Site affecting version 1.0, specifically the /admin/print.php path where the pid parameter is not safely handled. Public PoC material says an attacker can manipulate pid to alter backend SQL queries, which means data readout, tampering, or destructive queries against the app database are plausible if the page is reachable.

The vendor/CNA MEDIUM score is still a bit generous for enterprise prioritization. The decisive friction is that the vulnerable endpoint lives under /admin/ and the CNA vector says PR:L, so this is not a clean internet-scale pre-auth exploit; it is a post-auth app-layer bug in a lightly maintained sample PHP project that the vendor itself documents for localhost XAMPP/WAMP-style deployment.

"Real SQLi, but it sits behind admin access in a demo app that most enterprises should never expose"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get to the admin surface

The attacker first needs network reachability to the app and a route to /admin/print.php. In practice this usually means the app is externally exposed or the attacker already has internal access to a dev/test segment. Tooling is trivial here: a browser, curl, Burp Suite, or ffuf is enough to verify the path exists.
Conditions required:
  • Responsive Hotel Site 1.0 is deployed at all
  • The web server exposes the /admin/ area to the attacker's network position
  • The attacker can reach the PHP app over HTTP/S
Where this breaks in practice:
  • The product page explicitly describes localhost XAMPP/WAMP deployment, which strongly suggests many installs are lab, student, or dev-only
  • There is no strong product fingerprint or reliable internet exposure dataset for this sample app
  • Many enterprises will not knowingly run this project in production
Detection/coverage: External ASM and unauthenticated scanners often miss this class of issue because the product is niche and the vulnerable endpoint is under /admin/.
STEP 02

Satisfy the privilege requirement

The CNA-assigned vector is PR:L, so exploitation assumes at least low privileges rather than anonymous internet access. That means the attacker needs valid app credentials, a hijacked session, or some other foothold that gets them past the app's access controls. Common offensive tooling here is Burp Suite session replay or credential stuffing against weak demo credentials if admins left them unchanged.
Conditions required:
  • Valid low-privileged or admin-capable application session
  • Authentication is enforced the way the CNA score implies
Where this breaks in practice:
  • This prerequisite already assumes a prior compromise stage or exposed weak credentials
  • MFA, SSO front-ends, VPN gating, or simple IP restrictions can kill the path before the SQLi matters
  • If the admin area is broken or disabled, the vulnerable path may be unreachable in practice
Detection/coverage: Authenticated DAST can find this; generic perimeter scanners usually cannot prove it without credentials.
STEP 03

Inject through pid

Once authenticated, the attacker can send crafted requests to /admin/print.php?pid=... and test for injection using sqlmap, manual UNION SELECT probes, or boolean/time-based payloads. The public PoC explicitly points to pid and describes UNION-style extraction. If the backend query is reachable as described, database contents tied to reservations, bookings, or admin data can likely be enumerated.
Conditions required:
  • The vulnerable admin/print.php file is present
  • pid flows into a SQL statement without proper parameterization
  • Database errors or response differences are observable enough to exploit
Where this breaks in practice:
  • Custom error handling, generic responses, or WAF rules can slow exploitation
  • Some installs may have code drift or local edits that break the PoC
  • Least-privileged DB accounts can limit what the injection can actually do
Detection/coverage: WAFs and RASP can catch obvious UNION, comment, and timing payloads; SAST/grep-based code review can also spot raw pid use in print.php.
STEP 04

Turn app DB access into actual impact

Impact is typically bounded to the application's database and whatever credentials that PHP app already holds. An attacker may dump records, alter bookings, delete rows, or potentially abuse the DB account if it is over-privileged. This is serious for the single app, but it is not the same as hands-free enterprise takeover.
Conditions required:
  • Successful SQL injection
  • Useful data or dangerous DB permissions behind the vulnerable query
Where this breaks in practice:
  • Blast radius is usually confined to one app and its database
  • No evidence here of direct OS-level RCE or cross-tenant spread
  • Modern monitoring may flag anomalous SQL volume or destructive queries
Detection/coverage: DB audit logs, HTTP request logs, and WAF telemetry are the best places to see abuse if the app is actually instrumented.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence of active exploitation found. CISA KEV: not listed; OpenCVE also shows KEV no.
Public PoCYes. Public PoC/notes exist in GitHub by Huandtx, naming /admin/print.php and the pid parameter, with UNION-style SQLi discussed.
EPSS0.00097 from the prompt intel, which is extremely low predicted exploitation probability. Third-party trackers around this CVE also show EPSS in the ~0.001 range.
KEV status and datesNot present in the CISA Known Exploited Vulnerabilities Catalog as checked for this assessment.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L matters because PR:L means authenticated/post-auth, not anonymous pre-auth internet exploitation.
Affected versionsAuthoritative records consistently name Responsive Hotel Site 1.0 as affected. I found no broader maintained version range.
Fixed versionNo official vendor fix or maintained patched version was identified. Treat this as unpatched abandonware/demo code unless your team has locally corrected print.php.
Exposure and scanningShodan's CVEDB tracks the product and multiple related CVEs, but I found no trustworthy host-count or fingerprint-based internet exposure metric. Inference: real-world exposed population is probably small and hard to measure because this is a sample PHP project, not a mainstream enterprise platform.
Disclosure and provenancePublished 2025-01-05 via VulDB/CVE feeds. NVD later added a divergent 9.8 enrichment even though the CNA data and the /admin/ path support a more constrained interpretation.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.4/10)

The single biggest driver downward is the PR:L authenticated requirement on an /admin/ endpoint, which makes this a post-auth application bug rather than a broad unauthenticated edge compromise. The other major suppressor is population: this is a niche sample PHP project documented for localhost deployment, so the exposed enterprise install base is likely tiny compared with products that deserve emergency patch motion.

HIGH The vuln is a real SQL injection in `admin/print.php` affecting version `1.0`
HIGH Authentication/privilege requirement is material to real-world severity
MEDIUM Exposure is probably low because the app appears to be demo/tutorial software
LOW There is no authoritative vendor patch state beyond 'none found'

Why this verdict

  • Post-auth, not pre-auth: the CNA vector is PR:L, so the exploit chain starts after the attacker already has credentials or a session.
  • Reachability is narrow: the vulnerable code is under /admin/print.php, which removes a lot of opportunistic anonymous scanning value.
  • Tiny real deployment population: the vendor page describes localhost XAMPP/WAMP use for a free sample project, not a broadly deployed enterprise product.
  • Threat telemetry is cold: no KEV listing, no active exploitation evidence found, and EPSS is near zero.
  • Blast radius is usually app-local: compromise is meaningful for this app and DB, but there is no evidence here of direct OS-level code execution.

Why not higher?

If this were unauthenticated on a mainstream internet-facing product, the score would climb fast. But every real-world friction point pushes the other way: niche software, likely dev/lab installs, admin-path reachability, and a PR:L requirement. NVD's 9.8 enrichment looks like a vacuum-score mistake for operational prioritization.

Why not lower?

It is still bona fide SQL injection with public exploit guidance, not a theoretical bug. If you do run this app and the admin area is reachable to untrusted users or weak credentials exist, an attacker can likely read or alter the app database, so IGNORE would be too dismissive.

05 · Compensating Control

What to do — in priority order.

  1. Pull the admin path behind identity controls — Require VPN, reverse-proxy auth, IP allowlisting, or equivalent in front of /admin/. For a LOW noisgate verdict there is no SLA; treat this as backlog hygiene, but do it whenever the app is still exposed to anything broader than trusted admins.
  2. Block obvious SQLi patterns at the edge — Add WAF rules for UNION, comment markers, stacked queries, and time-based payloads on pid requests to print.php. This is a containment move when no official patch is available; for LOW, there is no deadline pressure, but it is worth doing if you cannot retire the app.
  3. Constrain the database account — Ensure the PHP app uses a DB account without schema-altering or file-write privileges. That reduces SQLi impact from 'full DB abuse' to 'nuisance/local data tampering' and is appropriate backlog work for a low-priority demo app.
  4. Decommission or replace the sample app — The stronger long-term control is to remove tutorial/demo code from any environment that matters. No official fixed release was identified, so replacement or retirement is often cleaner than trying to maintain a fork.
  5. Add authenticated DAST coverage — If this app must stay, scan it with credentials so /admin/ endpoints are actually tested. This is the right verification loop for low-priority but real app-layer bugs that unauthenticated scanners routinely miss.
What doesn't work
  • Blindly prioritizing the NVD 9.8 score doesn't help; it overstates the real attack path because it ignores the CNA's PR:L constraint.
  • Network IDS signatures alone are weak here; simple parameter changes or HTTPS termination gaps will miss app-layer SQLi without context.
  • Patching the OS or PHP runtime does not fix this bug; the flaw is in the application's request handling and SQL construction.
06 · Verification

Crowdsourced verification payload.

Run this on the target web server or on a mounted copy of the application source tree. Invoke it as python3 verify_cve_2025_0230.py /var/www/html/responsive-hotel-site on Linux/macOS or py verify_cve_2025_0230.py C:\xampp\htdocs\responsive-hotel-site on Windows; it only needs read access to the app files.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# verify_cve_2025_0230.py
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage / unreadable

import os
import re
import sys

TARGET = os.path.join('admin', 'print.php')

PATTERNS = [
    re.compile(r"\$_(GET|REQUEST|POST)\s*\[\s*['\"]pid['\"]\s*\]", re.I),
    re.compile(r"pid\s*=\s*\$_(GET|REQUEST|POST)", re.I),
    re.compile(r"select\s+.*\$[A-Za-z_][A-Za-z0-9_]*", re.I | re.S),
    re.compile(r"mysql_query\s*\(", re.I),
    re.compile(r"mysqli_query\s*\(", re.I),
]

SAFE_HINTS = [
    re.compile(r"prepare\s*\(", re.I),
    re.compile(r"bind_param\s*\(", re.I),
    re.compile(r"execute\s*\(", re.I),
    re.compile(r"intval\s*\(\s*\$_(GET|REQUEST|POST)\s*\[\s*['\"]pid['\"]\s*\]\s*\)", re.I),
    re.compile(r"filter_input\s*\(", re.I),
]


def find_target(root):
    direct = os.path.join(root, TARGET)
    if os.path.isfile(direct):
        return direct
    matches = []
    for base, _, files in os.walk(root):
        if 'print.php' in files and os.path.basename(base).lower() == 'admin':
            matches.append(os.path.join(base, 'print.php'))
    return matches[0] if matches else None


def main():
    if len(sys.argv) != 2:
        print('UNKNOWN - usage: verify_cve_2025_0230.py <app_root>')
        sys.exit(2)

    root = sys.argv[1]
    if not os.path.isdir(root):
        print('UNKNOWN - supplied path is not a directory')
        sys.exit(2)

    target = find_target(root)
    if not target:
        print('PATCHED - admin/print.php not found under supplied path')
        sys.exit(0)

    try:
        with open(target, 'r', encoding='utf-8', errors='ignore') as f:
            data = f.read()
    except Exception as e:
        print(f'UNKNOWN - cannot read {target}: {e}')
        sys.exit(2)

    has_pid = any(p.search(data) for p in PATTERNS[:2])
    has_sql = any(p.search(data) for p in PATTERNS[2:])
    has_safe = any(p.search(data) for p in SAFE_HINTS)

    if has_pid and has_sql and not has_safe:
        print(f'VULNERABLE - {target} references pid and appears to build/issue SQL without obvious parameterization')
        sys.exit(1)

    if has_pid and has_safe:
        print(f'PATCHED - {target} references pid but shows signs of input handling or prepared statements')
        sys.exit(0)

    if has_pid and not has_sql:
        print(f'UNKNOWN - {target} references pid, but the script could not confirm SQL usage')
        sys.exit(2)

    print(f'UNKNOWN - {target} did not match the expected vulnerable pattern')
    sys.exit(2)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not let this jump the line ahead of real pre-auth edge bugs. First, confirm whether anyone actually runs this sample app outside a lab; if yes, put /admin/ behind trusted access and add a simple WAF rule during normal backlog cleanup. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene, document any exposed instances, and either retire the app or locally fix the vulnerable print.php path rather than burning emergency patch capacity on it.

Sources

  1. NVD CVE-2025-0230
  2. code-projects Responsive Hotel Site page
  3. Public PoC notes on GitHub
  4. OpenCVE record
  5. CISA Known Exploited Vulnerabilities Catalog
  6. Shodan CVEDB product page
  7. Feedly CVE page with EPSS summary
  8. Indusface January 2025 bulletin
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.