CVE-2025-10789 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Online Hotel Reservation System. The vulnerability resides in an unspecified function within the deleteslide.php file, where the manipulation of the 'ID' parameter allows an attacker to inject malicious SQL code. This injection flaw enables remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to limited (VC:L, VI:L, VA:L), suggesting that while exploitation can lead to unauthorized data access or modification, the scope and severity of damage are somewhat constrained. The vulnerability is publicly known, and proof-of-concept exploits are available, although no active exploitation in the wild has been reported to date. The lack of a patch or vendor-provided fix increases the risk for organizations running this specific version of the software. Given that the vulnerability affects a hotel reservation system, attackers could potentially access or manipulate booking data, customer information, or other sensitive records stored in the backend database, leading to privacy violations and operational disruptions.

For European organizations, particularly those in the hospitality sector using the SourceCodester Online Hotel Reservation System version 1.0, this vulnerability poses a tangible risk. Exploitation could lead to unauthorized access to customer personal data, including booking details and potentially payment information if stored insecurely. This could result in violations of the EU General Data Protection Regulation (GDPR), leading to significant legal and financial penalties. Additionally, manipulation of reservation data could disrupt business operations, causing reputational damage and loss of customer trust. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially from opportunistic threat actors scanning for vulnerable systems. Although the impact is rated medium, the hospitality industry’s reliance on reservation systems makes this vulnerability a critical concern for maintaining service continuity and data privacy compliance in Europe.

Organizations should immediately assess whether they are running SourceCodester Online Hotel Reservation System version 1.0. In the absence of an official patch, the following specific measures are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the deleteslide.php endpoint, particularly filtering suspicious input in the 'ID' parameter. 2) Conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize the 'ID' parameter and other user inputs. 3) Restrict direct internet access to the reservation system or isolate it within a segmented network zone with strict access controls. 4) Monitor logs for unusual database queries or errors indicative of injection attempts. 5) Plan for an upgrade or migration to a patched or alternative reservation system version that addresses this vulnerability. 6) Regularly back up reservation data and test restoration procedures to mitigate potential data integrity issues from exploitation.