CVE-2025-12594 identifies a SQL injection vulnerability in the Simple Online Hotel Reservation System version 2.0 developed by code-projects. The vulnerability exists in the /admin/add_account.php file, where the 'Name' parameter is not properly sanitized before being used in SQL queries. This improper input validation allows an attacker to inject arbitrary SQL code remotely, potentially leading to unauthorized data retrieval, modification, or deletion within the backend database. The attack vector does not require user interaction but does require administrative privileges (as indicated by the CVSS vector's PR:H), suggesting that the attacker must have some level of authenticated access to exploit the flaw. The vulnerability has a CVSS 4.0 base score of 5.1, categorized as medium severity, reflecting limited scope and impact due to the privilege requirement and low impact on confidentiality, integrity, and availability. No patches or fixes have been officially released yet, and while exploit code is publicly available, there are no confirmed active exploitations in the wild. The vulnerability's presence in a hotel reservation system makes it a concern for organizations managing customer data and booking operations, as exploitation could lead to data breaches or operational disruptions.

For European organizations, especially those in the hospitality and tourism sectors using the affected Simple Online Hotel Reservation System 2.0, this vulnerability poses a risk of unauthorized access to sensitive customer and business data. Exploitation could lead to data leakage of personal identifiable information (PII), financial details, or booking records, damaging customer trust and potentially violating GDPR regulations. Additionally, attackers could manipulate reservation data, causing operational disruptions or financial losses. The requirement for administrative privileges to exploit reduces the risk somewhat but does not eliminate it, as insider threats or compromised admin credentials could facilitate attacks. The medium severity rating indicates moderate risk, but the public availability of exploit code increases the likelihood of opportunistic attacks. Organizations relying on this software without timely mitigation may face reputational damage, regulatory penalties, and operational challenges.

Organizations should immediately audit their use of the Simple Online Hotel Reservation System 2.0 and restrict access to the administrative interface to trusted personnel and networks only, employing network segmentation and VPNs where possible. Implement strict access controls and monitor administrative account activities for suspicious behavior. Since no official patch is currently available, developers or administrators should review the source code of /admin/add_account.php and refactor SQL queries to use parameterized statements or prepared queries to prevent injection. Input validation and sanitization of the 'Name' parameter must be enforced. Additionally, organizations should consider deploying Web Application Firewalls (WAFs) with SQL injection detection rules to provide a temporary protective layer. Regularly back up databases and monitor logs for unusual query patterns. Finally, plan for prompt patch application once an official fix is released and conduct security awareness training for administrators to recognize and prevent credential compromise.