CVE-2025-12855 is a SQL injection vulnerability identified in the Responsive Hotel Site 1.0 developed by code-projects. The vulnerability exists in the /admin/newsletterdel.php script, where the 'eid' parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without user interaction but requires high privileges (authentication) to access the vulnerable admin functionality. The vulnerability could lead to unauthorized reading, modification, or deletion of database records, impacting confidentiality, integrity, and availability of the affected system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), but requires privileges (PR:H), and results in low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No official patches have been released yet, and no known exploits are reported in the wild, though a public exploit code has been published. This vulnerability primarily affects organizations using this specific hotel site software, which is typically deployed in hospitality environments to manage newsletters and customer communications.

For European organizations, especially those in the hospitality and tourism sectors using the Responsive Hotel Site 1.0, this vulnerability poses a risk of unauthorized database access and manipulation. Attackers with administrative credentials could exploit the SQL injection to extract sensitive customer data, alter booking or newsletter information, or disrupt service availability. This could lead to data breaches involving personal identifiable information (PII), regulatory non-compliance under GDPR, reputational damage, and operational downtime. Although exploitation requires authenticated access, insider threats or compromised credentials could facilitate attacks. The impact is heightened in countries with large tourism industries and widespread use of this software, potentially affecting customer trust and business continuity.

Organizations should immediately audit their use of code-projects Responsive Hotel Site 1.0 and restrict access to the /admin/newsletterdel.php endpoint to trusted administrators only, ideally via VPN or IP whitelisting. Implement strict input validation and parameterized queries or prepared statements to prevent SQL injection. Monitor logs for suspicious activity targeting the 'eid' parameter. Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts against this endpoint. Enforce strong authentication mechanisms and regularly rotate admin credentials to reduce the risk of privilege abuse. Plan for timely patching once the vendor releases an update. Conduct security awareness training to prevent credential compromise. Finally, perform regular security assessments and penetration testing focused on admin interfaces.