CVE-2025-13546 identifies a SQL injection vulnerability in the ashraf-kabir travel-agency software, specifically in the Search component's /results.php file. The vulnerability arises from improper sanitization of the user_query parameter, which is directly used in SQL statements. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or denial of service. The vulnerability is exploitable over the network without any user interaction or prior authentication, increasing its risk profile. The product does not use versioning, making it difficult to determine affected versions or apply targeted patches. The CVSS 4.0 score is 5.3 (medium), reflecting the ease of exploitation but limited scope and impact. No known exploits are currently active in the wild, but public exploit code is available, which could facilitate attacks. The vulnerability impacts confidentiality, integrity, and availability of backend databases, which may contain sensitive customer and operational data. Organizations using this product, especially in the travel sector, should prioritize remediation to prevent data breaches or service disruptions.

For European organizations, especially those in the travel and tourism sector using the ashraf-kabir travel-agency software, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of customer personal data, booking details, and payment information, violating GDPR and other data protection regulations. Integrity of booking data could be compromised, leading to fraudulent transactions or operational disruptions. Availability of the travel agency’s services could be impacted by SQL injection-based denial of service attacks, harming business continuity and reputation. The public availability of exploit code increases the likelihood of attacks targeting European entities. Additionally, compromised systems could be leveraged for further lateral movement or data exfiltration within organizational networks. The lack of versioning complicates patch management and vulnerability tracking, increasing exposure time.

1. Implement strict input validation and sanitization on the user_query parameter to ensure only expected input is processed. 2. Refactor database queries to use parameterized queries or prepared statements to eliminate direct injection risks. 3. Employ Web Application Firewalls (WAFs) with SQL injection detection and blocking capabilities to provide an additional protective layer. 4. Conduct thorough code reviews and security testing focusing on all user inputs in the Search component and related modules. 5. Monitor logs for unusual query patterns or errors indicative of injection attempts. 6. Since no official patches or versioning exist, consider isolating the affected application in a segmented network zone to limit exposure. 7. Educate development and operations teams about secure coding practices and incident response procedures related to SQL injection. 8. Plan for migration or upgrade to a more secure and actively maintained travel agency platform if feasible.