CVE-2025-12857 is a SQL injection vulnerability identified in the Responsive Hotel Site version 1.0 developed by code-projects. The vulnerability exists in the /admin/roombook.php file, where the rid parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring user interaction or authentication, which means attackers can directly target the vulnerable endpoint over the network. The CVSS 4.0 vector indicates the attack vector is network-based (AV:N), with low complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the vector states PR:H which conflicts with no authentication - assuming a minor discrepancy, the description states no authentication), no user interaction (UI:N), and low impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability could allow attackers to read or modify limited data within the backend database, potentially exposing sensitive booking information or altering reservation data. Although no public exploit code is currently known to be actively used in the wild, the public disclosure increases the risk of future exploitation. The lack of available patches means organizations must rely on manual mitigation strategies until an official fix is released.

For European organizations, especially those in the hospitality sector using the Responsive Hotel Site software, this vulnerability could lead to unauthorized access to customer booking data, including personally identifiable information and reservation details. This can result in data breaches, loss of customer trust, and potential regulatory penalties under GDPR due to exposure of personal data. Additionally, attackers could manipulate booking records, causing operational disruptions and financial losses. The medium severity reflects limited but tangible impacts on confidentiality, integrity, and availability. The remote exploitability without user interaction increases the risk profile, particularly for organizations with internet-facing administrative interfaces. The vulnerability could also serve as a foothold for further attacks within the network if exploited successfully.

Organizations should immediately audit the /admin/roombook.php endpoint and implement strict input validation and parameterized queries or prepared statements to prevent SQL injection. If source code modification is not immediately feasible, deploying a web application firewall (WAF) with SQL injection detection rules can help block malicious payloads targeting the rid parameter. Restricting access to the /admin directory via IP whitelisting or VPN-only access can reduce exposure. Continuous monitoring of database logs for unusual queries or anomalies related to the rid parameter is recommended. Organizations should also prepare for patch deployment once the vendor releases an official fix and consider conducting penetration testing to verify the effectiveness of mitigations. Employee awareness about this vulnerability and potential phishing attempts exploiting it should be raised.