SQL Injection Vulnerability in FantasticLBP Hotels Server
CVE-2025-13208

5.3MEDIUM

Key Information:

Vendor

Fantasticlbp

Status
Hotels Server
Vendor
CVE Published:
15 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13208?

A security flaw has been identified in the FantasticLBP Hotels Server, specifically within the hotelList.php file. This vulnerability allows remote attackers to manipulate the subjectId/cityName parameters, leading to SQL injection attacks. Successful exploitation could enable unauthorized access to the database, potentially exposing sensitive information. The vendor has not responded regarding this issue, heightening concerns about the ongoing risk for users running affected versions without timely updates.

Affected Version(s)

Hotels Server 67b44df162fab26df209bd5d5d542875fcbec1d0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13208 - Proof of Concept

References

https://vuldb.com/?id.332527
vdb-entrytechnical-description
https://vuldb.com/?ctiid.332527
signaturepermissions-required
https://vuldb.com/?submit.685620
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

naixiao (VulDB User)
JSON
.
CVE-2025-13208 : SQL Injection Vulnerability in FantasticLBP Hotels Server