CVE-2025-12597 identifies a SQL injection vulnerability in the SourceCodester Best House Rental Management System version 1.0, specifically in the save_category function located in the /admin_class.php file. The vulnerability arises from improper sanitization of the 'Name' parameter, which is directly used in SQL queries without adequate validation or parameterization. An attacker with administrative privileges can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the underlying database. The vulnerability does not require user interaction but does require high privileges (administrative access), limiting the attack surface to authenticated users with elevated rights. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability with relatively low attack complexity and no user interaction needed. Although no known active exploits have been reported in the wild, the public availability of exploit code increases the risk of exploitation. The lack of an official patch or mitigation guidance from the vendor further complicates remediation efforts. This vulnerability could allow attackers to extract sensitive data, alter records, or disrupt service availability within the rental management system, impacting business operations and data privacy.

For European organizations using the affected version of SourceCodester Best House Rental Management System, this vulnerability poses a significant risk to the confidentiality and integrity of rental management data, including customer information, rental agreements, and financial records. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service, undermining trust and potentially violating data protection regulations such as GDPR. The requirement for administrative privileges reduces the likelihood of external attackers exploiting this vulnerability directly; however, insider threats or compromised administrative accounts could be leveraged. Disruption or data breaches in property management systems could have cascading effects on business continuity and reputation. Additionally, organizations in countries with stringent data privacy laws may face legal and financial repercussions if sensitive tenant data is exposed. The medium severity score suggests a moderate but non-trivial threat that should be addressed promptly to avoid escalation.

1. Restrict administrative access to the Best House Rental Management System to trusted personnel only and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of compromised credentials. 2. Implement input validation and sanitization on the 'Name' parameter within the save_category function, ideally by using prepared statements or parameterized queries to prevent SQL injection. 3. Monitor database logs and application activity for unusual queries or behavior indicative of SQL injection attempts. 4. If vendor patches or updates become available, prioritize their deployment immediately. 5. Conduct regular security audits and code reviews focusing on input handling and database interactions within the application. 6. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block SQL injection patterns targeting this application. 7. Educate administrative users about the risks of credential compromise and enforce least privilege principles to limit potential damage from insider threats. 8. Isolate the application environment to minimize lateral movement in case of compromise.