CVE-2025-13170 identifies a SQL Injection vulnerability in the Simple Online Hotel Reservation System version 1.0 developed by code-projects. The vulnerability resides in the /admin/edit_account.php script, specifically in the processing of the admin_id parameter. Due to insufficient input validation and sanitization, attackers can manipulate this parameter to inject arbitrary SQL queries remotely, without requiring authentication or user interaction. This injection flaw can be exploited to execute unauthorized SQL commands against the backend database, potentially allowing attackers to read, modify, or delete sensitive data such as user credentials, booking information, or administrative settings. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting a medium severity level, with characteristics including network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public availability of exploit code increases the likelihood of exploitation attempts. The affected product is primarily used in hospitality management contexts, making the vulnerability relevant to organizations managing hotel reservations and related customer data. No official patches or fixes have been linked yet, so mitigation requires immediate attention to input validation and access controls.

The SQL Injection vulnerability in the Simple Online Hotel Reservation System can have significant consequences for organizations worldwide that rely on this software. Successful exploitation could lead to unauthorized disclosure of sensitive customer and administrative data, including personal identification and payment information, resulting in privacy violations and regulatory non-compliance. Attackers might also alter or delete reservation records, disrupting business operations and causing financial losses. The integrity of the system could be compromised, undermining trust in the service. Availability could be affected if attackers execute destructive queries or cause database corruption. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the risk of widespread exploitation. This threat is particularly impactful for small to medium hospitality businesses that may lack robust security measures or incident response capabilities.

To mitigate CVE-2025-13170, organizations should immediately implement strict input validation and sanitization for the admin_id parameter and any other user-supplied inputs in the affected application components. Employ parameterized queries or prepared statements to prevent SQL injection attacks effectively. If source code modification is not feasible immediately, consider deploying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection patterns targeting the /admin/edit_account.php endpoint. Restrict access to administrative interfaces by IP whitelisting or VPN to reduce exposure. Monitor logs for suspicious activities related to admin_id parameter manipulation. Regularly back up databases to enable recovery in case of data corruption. Engage with the software vendor or community to obtain patches or updates addressing this vulnerability. Additionally, conduct security assessments and penetration testing to identify and remediate similar injection flaws in other parts of the system.