CVE-2025-6421 is a SQL Injection vulnerability identified in version 1.0 of the Simple Online Hotel Reservation System developed by code-projects. The vulnerability resides in the /admin/add_account.php file, specifically in the handling of the 'name' or 'admin_id' parameters. An attacker can manipulate these input parameters to inject malicious SQL queries. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The vulnerability is rated with a CVSS 4.0 score of 6.9 (medium severity), reflecting its ease of exploitation (network accessible, no authentication or user interaction needed) but limited impact on confidentiality, integrity, and availability (low impact on each). The vulnerability has been publicly disclosed, although no known exploits in the wild have been reported yet. Given the nature of the affected system—a hotel reservation platform—successful exploitation could lead to unauthorized access to sensitive customer data, manipulation or deletion of reservation records, and potential disruption of booking services. The lack of authentication requirements and remote attack vector increase the risk profile, especially for organizations using this software without proper compensating controls or patches. However, the absence of a patch or vendor-provided fix at this time increases exposure for affected deployments. The vulnerability's impact is constrained by the limited market penetration of this specific software and the scope of affected versions (only version 1.0).

For European organizations, the impact of this vulnerability could be significant in the hospitality sector, particularly for small to medium-sized hotels or chains relying on the Simple Online Hotel Reservation System version 1.0. Exploitation could lead to unauthorized disclosure of personal identifiable information (PII) of guests, including names, contact details, and booking histories, which would violate GDPR regulations and potentially result in heavy fines and reputational damage. Additionally, attackers could alter or delete reservation data, causing operational disruptions and financial losses. The integrity of booking data is critical for customer trust and business continuity. Since the vulnerability allows remote exploitation without authentication, attackers could automate attacks at scale, increasing the risk of widespread compromise. However, the overall impact is somewhat mitigated by the limited adoption of this specific software product in Europe, and the absence of known active exploitation campaigns. Nonetheless, organizations using this system should consider the threat serious due to the critical nature of the data handled and regulatory implications.

Immediately audit all deployments of Simple Online Hotel Reservation System version 1.0 to identify affected instances. Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the /admin/add_account.php endpoint, focusing on the 'name' and 'admin_id' parameters. Restrict network access to the administration interface to trusted IP addresses or VPN-only access to reduce exposure to remote attacks. Apply input validation and parameterized queries or prepared statements in the source code to sanitize user inputs and prevent SQL injection; if source code modification is not feasible, consider isolating the vulnerable component or replacing the software. Monitor database logs and application logs for unusual query patterns or failed login attempts that may indicate exploitation attempts. Establish regular backups of the database to enable recovery in case of data tampering or deletion. Engage with the vendor or community to obtain or develop patches or updated versions addressing this vulnerability. Conduct security awareness training for administrators to recognize and respond to suspicious activities related to the reservation system.