CVE-2025-13545 is a SQL injection vulnerability identified in the ashraf-kabir travel-agency software, affecting versions up to commit 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. The flaw resides in the /admin_area/index.php file, where the edit_pack parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands remotely. The vulnerability does not require user interaction or authentication but does require high privileges (PR:H) to exploit, indicating that the attacker must have some level of access, possibly to the admin interface. The CVSS 4.0 score of 5.1 reflects a medium severity with network attack vector, low complexity, no user interaction, and limited impact on confidentiality, integrity, and availability. The vendor uses continuous delivery with rolling releases, complicating version tracking and patch availability. Despite early vendor notification, no response or patch has been provided, and no known exploits have been observed in the wild yet. The public disclosure of the vulnerability increases the risk of exploitation by threat actors. SQL injection vulnerabilities can allow attackers to extract sensitive data, modify or delete database contents, or disrupt service availability. Given the nature of the product—a travel agency platform—compromise could expose personal customer data, booking information, and internal administrative controls.

For European organizations using the ashraf-kabir travel-agency software, this vulnerability poses a risk of unauthorized data access and potential data manipulation, which could lead to breaches of personal data protected under GDPR. The travel sector is critical for both economic and operational reasons, and disruption or data leaks could damage reputation and result in regulatory penalties. Attackers exploiting this vulnerability could gain access to sensitive customer information, including travel itineraries and payment details, leading to identity theft or financial fraud. Integrity attacks could alter bookings or pricing, causing operational disruptions. Availability impacts, while limited, could still affect service continuity if database integrity is compromised. The lack of vendor response and patch availability increases exposure time, necessitating immediate defensive actions. European travel agencies and related service providers are at risk, especially those with exposed or weakly secured admin interfaces.

1. Immediately restrict access to the /admin_area/index.php interface by implementing IP whitelisting, VPN access, or network segmentation to limit exposure to trusted personnel only. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the edit_pack parameter. 3. Conduct thorough input validation and sanitization on all parameters, especially edit_pack, to prevent injection attacks; if possible, implement parameterized queries or prepared statements in the codebase. 4. Monitor database logs and web server logs for unusual or suspicious queries indicative of SQL injection attempts. 5. Prepare incident response plans specific to this vulnerability, including data backup and recovery procedures. 6. Engage with the vendor or community to track updates or patches; consider code audits or third-party security assessments if source code access is available. 7. Educate administrative users on secure access practices and the risks of exposing admin interfaces publicly. 8. If feasible, isolate the affected system from critical networks until a patch or fix is available.