Executive Summary
CVE-2026-14688 is a high-severity SQL injection vulnerability in itsourcecode Online Hotel Management System version 1.0. The flaw exists in the admin login page (/admin/login.php), where the email parameter is passed unsanitized into a SQL query, allowing remote attackers to bypass authentication or extract database contents.
CVSS Score: 7.3 (High)
A publicly available exploit exists for this vulnerability. Hotel management systems often handle sensitive guest data, payment records, and reservation information, making this a significant risk for any deployment.
Technical Details
Vulnerability Type
SQL Injection (CWE-89) via unsanitized email parameter in the admin authentication flow. Rather than using parameterized queries, the application interpolates POST data directly into a SQL SELECT statement.
Attack Vector
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14688 |
| CVSS v3.1 | 7.3 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication Required | None |
| Privileges Required | None |
| Scope | Unchanged |
Affected Endpoint
POST /admin/login.php
Parameter: email
Proof of Concept
An attacker can bypass the admin login entirely using a classic Boolean-based SQLi payload:
email: admin@hotel.com' OR '1'='1' -- -
password: (arbitrary)
Alternatively, UNION-based injection can enumerate the database:
email: ' UNION SELECT 1,username,password,4,5 FROM admin-- -
Time-based blind injection for stealth reconnaissance:
email: admin@hotel.com' AND SLEEP(5)-- -
Impact
Hotel management systems typically store highly sensitive data. Successful exploitation could expose:
- Guest personal information: names, contact details, passport/ID numbers
- Reservation and booking records: check-in/out dates, room assignments
- Admin credentials: hashed or plaintext passwords enabling full system takeover
- Payment-adjacent data: billing amounts, invoice records (though full card data is typically offloaded)
- Staff and employee records: if stored in the same database
An unauthenticated attacker gaining admin access could also:
- Modify or delete reservations
- Access all guest records
- Pivot to further exploitation of the server
Affected Versions
| Product | Version | Status |
|---|---|---|
| itsourcecode Online Hotel Management System | 1.0 | Vulnerable |
No patch is available from the vendor. The itsourcecode portfolio (similar to SourceCodester) consists of student/demo PHP scripts often deployed in small businesses and hospitality operators without security review.
Remediation
Immediate Actions
- Restrict admin panel access — apply IP allowlisting at the web server level:
# .htaccess
<Files "login.php">
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
</Files>-
Deploy a WAF — configure rules to block SQLi patterns targeting
/admin/login.php -
Rotate all admin credentials — assume existing passwords may be compromised if the system has been publicly accessible
Code-Level Fix
Replace the vulnerable authentication query with a parameterized equivalent:
// Vulnerable (DO NOT USE)
$email = $_POST['email'];
$query = "SELECT * FROM admin WHERE email='$email' AND password='$pass'";
$result = mysqli_query($conn, $query);
// Secure replacement
$stmt = $conn->prepare("SELECT * FROM admin WHERE email = ? AND password = ?");
$stmt->bind_param("ss", $_POST['email'], $hashed_password);
$stmt->execute();
$result = $stmt->get_result();Additionally:
- Use
password_hash()andpassword_verify()instead of plaintext or MD5 passwords - Add rate limiting to the login endpoint to slow brute-force/injection attempts
- Enable
display_errors = Offinphp.inifor production deployments
Hospitality Sector Advisory
This vulnerability is a reminder that off-the-shelf PHP scripts from student/educational code repositories (SourceCodester, itsourcecode, etc.) are frequently deployed in production without security hardening. These codebases often predate modern PHP security practices and routinely omit:
- Prepared statements / parameterized queries
- Password hashing
- CSRF protection
- Session security hardening
Organizations in the hospitality sector should audit any PHP-based PMS (Property Management System) or booking system for similar patterns before deployment.