CVE-2025-13169 is a SQL Injection vulnerability identified in the Simple Online Hotel Reservation System version 1.0 developed by code-projects. The vulnerability exists in the /add_query_reserve.php script, where the room_id parameter is not properly sanitized or validated before being incorporated into SQL queries. This lack of input validation allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially manipulating the backend database. Such injection can lead to unauthorized data retrieval, modification, or deletion, compromising the confidentiality, integrity, and availability of reservation and customer data. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. Although no public exploits have been reported in the wild yet, the vulnerability has been publicly disclosed, which increases the risk of exploitation by threat actors. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This suggests that the vulnerability can be exploited remotely with relative ease and can cause moderate damage to the affected systems. The Simple Online Hotel Reservation System is typically used by small to medium-sized hospitality businesses to manage bookings online, making the data stored within it sensitive and critical for business operations. The absence of patches or official fixes at the time of disclosure necessitates immediate mitigation steps by administrators.

For European organizations, especially those in the hospitality and tourism sectors, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer information such as personal details and booking histories, potentially violating GDPR regulations and resulting in legal and financial penalties. Data integrity could be compromised, leading to incorrect booking information, double bookings, or cancellations, which would disrupt business operations and damage customer trust. Availability impacts could arise if attackers manipulate or delete reservation data, causing service outages or operational delays. Since the vulnerability can be exploited remotely without authentication, attackers from anywhere could target affected systems, increasing the threat landscape. The medium severity rating reflects a balance between the ease of exploitation and the potential damage, but the impact on customer data privacy and business continuity in the European hospitality market could be substantial. Organizations failing to address this vulnerability risk reputational damage and financial losses due to service disruption and regulatory non-compliance.

Immediate mitigation should focus on input validation and sanitization of the room_id parameter in /add_query_reserve.php. Developers should refactor the code to use parameterized queries or prepared statements to prevent SQL injection. Until a patch is available, organizations should implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this parameter. Regularly monitor web server logs for suspicious activity related to /add_query_reserve.php and the room_id parameter. Conduct thorough code audits of the entire application to identify and remediate similar vulnerabilities. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. Additionally, organizations should ensure that backups of reservation data are current and tested for restoration to mitigate potential data loss. Finally, maintain awareness of any official patches or updates from the vendor and apply them promptly once released.