CVE-2025-12594 identifies a SQL injection vulnerability in the Simple Online Hotel Reservation System version 2.0 developed by code-projects. The vulnerability exists in the /admin/add_account.php file, where the 'Name' parameter is improperly sanitized before being incorporated into SQL queries. This allows a remote attacker to inject crafted SQL commands that can manipulate the backend database. The attack vector is network accessible (AV:N), requires low attack complexity (AC:L), and does not require user interaction (UI:N). However, it requires high privileges (PR:H), indicating that the attacker must have some elevated access, possibly an authenticated admin session. The vulnerability impacts confidentiality, integrity, and availability at a low level (VC:L, VI:L, VA:L), suggesting partial data exposure or modification and potential disruption. No scope change occurs (S:N), meaning the impact is confined to the vulnerable component. Although no known exploits are active in the wild, a public exploit has been released, increasing the risk of exploitation. The vulnerability was published on November 2, 2025, and has a CVSS 4.0 base score of 5.1, categorized as medium severity. The lack of available patches or vendor advisories at this time necessitates immediate attention from users of this software to implement mitigations or workarounds.

The SQL injection vulnerability allows attackers with elevated privileges to execute arbitrary SQL commands on the backend database of the Simple Online Hotel Reservation System. This can lead to unauthorized access to sensitive customer data, modification or deletion of records, and potential disruption of hotel reservation services. The partial compromise of confidentiality and integrity could result in leakage of personally identifiable information (PII), financial data, or booking details, impacting customer trust and regulatory compliance. Availability impacts, though low, could manifest as denial of service or corrupted data affecting operational continuity. Organizations relying on this software for managing hotel bookings and customer accounts face risks of reputational damage, financial loss, and legal consequences if exploited. The public availability of an exploit increases the likelihood of opportunistic attacks, especially in environments where patching is delayed or administrative controls are weak.

1. Immediately restrict access to the /admin/add_account.php endpoint to trusted administrators only, using network segmentation and strong access controls. 2. Implement input validation and parameterized queries or prepared statements in the affected code to prevent SQL injection. 3. Monitor logs for suspicious SQL query patterns or unusual administrative activity indicative of exploitation attempts. 4. If vendor patches become available, apply them promptly. 5. Employ Web Application Firewalls (WAFs) with rules designed to detect and block SQL injection payloads targeting the vulnerable parameter. 6. Conduct a thorough security review of all input handling in the application to identify and remediate similar vulnerabilities. 7. Educate administrators on the risks of elevated privileges and enforce the principle of least privilege to limit potential damage. 8. Regularly back up databases and test restoration procedures to mitigate impact from data corruption or deletion.