CVE-2025-12594 identifies a SQL injection vulnerability in the Simple Online Hotel Reservation System version 2.0 developed by code-projects. The vulnerability resides in the /admin/add_account.php script, where the 'Name' parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection can be performed remotely without user interaction but requires the attacker to have high privileges, likely administrative access to the system. The vulnerability enables partial compromise of the database's confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or deletion. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no public exploits are currently observed in the wild, the exploit code has been released publicly, increasing the risk of exploitation. The vulnerability affects only version 2.0 of this specific hotel reservation system, which is a niche product primarily used by small to medium hospitality businesses. The lack of patches or official fixes at the time of publication increases the urgency for affected organizations to implement mitigations. The vulnerability's exploitation could lead to unauthorized database queries, data leakage, or manipulation, impacting business operations and customer data security.

For European organizations, particularly those in the hospitality sector using the Simple Online Hotel Reservation System 2.0, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive customer data, including personal and booking information, potentially violating GDPR requirements and resulting in regulatory penalties. Data integrity could be compromised, leading to incorrect bookings or financial discrepancies. Availability impacts may disrupt reservation services, harming business reputation and revenue. Since the vulnerability requires high privileges, the risk is somewhat mitigated by internal access controls; however, insider threats or compromised admin accounts could be leveraged for exploitation. The public release of exploit code increases the likelihood of opportunistic attacks, especially against less-secured or outdated systems. European hospitality businesses with limited cybersecurity resources may be particularly vulnerable. Additionally, the breach of customer data could have broader reputational and legal consequences across the EU.

Organizations should immediately audit their use of the Simple Online Hotel Reservation System and verify if version 2.0 is deployed. If so, restrict access to the /admin/add_account.php interface strictly to trusted administrators via network segmentation and VPNs. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'Name' parameter. Apply input validation and sanitization on all user-supplied data, especially in administrative modules. Where possible, modify the source code to use parameterized queries or prepared statements to eliminate SQL injection vectors. Monitor logs for suspicious activity related to the admin interface and unusual database queries. If vendor patches become available, prioritize their deployment. Conduct regular security training for administrators to prevent credential compromise. Finally, consider migrating to more secure or actively maintained reservation systems if remediation is not feasible.