CVE-2025-13170 identifies a SQL injection vulnerability in the Simple Online Hotel Reservation System version 1.0 developed by code-projects. The vulnerability resides in the /admin/edit_account.php script, specifically in the processing of the admin_id parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, allowing unauthorized access to the backend database. The vulnerability requires no authentication or user interaction, making it highly accessible for exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction required. The impact includes potential unauthorized disclosure, modification, or deletion of sensitive data stored in the reservation system's database, which may contain customer personal information, booking details, and administrative credentials. Although no known active exploits have been reported, a public exploit exists, increasing the likelihood of attacks. The affected product is a niche hotel reservation system, which limits the scope but poses significant risks to organizations relying on this software for their booking operations. The vulnerability highlights the importance of secure coding practices, particularly input validation and use of parameterized queries to prevent SQL injection. No official patches have been linked yet, so organizations must prioritize code audits and implement compensating controls such as web application firewalls and strict access controls to mitigate risk until a fix is available.

For European organizations using the Simple Online Hotel Reservation System 1.0, this vulnerability could lead to unauthorized access to sensitive customer and administrative data, including personal identification information and booking records. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could alter or delete reservation data, disrupting business operations and causing financial losses. The ability to execute arbitrary SQL commands remotely without authentication increases the risk of widespread exploitation. Hospitality businesses in Europe, especially those with online booking systems integrated with this software, face operational and compliance risks. The breach of customer trust and potential downtime could have long-term negative effects on business continuity and customer retention. Furthermore, attackers might leverage this vulnerability as a foothold for further network compromise, escalating the threat beyond the reservation system itself.

Organizations should immediately audit their use of the Simple Online Hotel Reservation System version 1.0 and identify if the vulnerable /admin/edit_account.php component is in use. Since no official patch is currently available, developers must review and refactor the code handling the admin_id parameter to use prepared statements or parameterized queries, eliminating direct SQL command concatenation. Implement strict input validation and sanitization for all user-supplied data. Restrict access to administrative interfaces by IP whitelisting or VPN-only access to reduce exposure. Deploy web application firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting this parameter. Monitor logs for suspicious activity related to admin_id manipulation. Conduct penetration testing to verify the effectiveness of mitigations. Finally, plan for an upgrade or replacement of the affected software with a secure, actively maintained alternative to reduce future risk.