CVE-2025-6578 is a critical SQL Injection vulnerability identified in version 1.0 of the Simple Online Hotel Reservation System developed by code-projects. The vulnerability resides in the /admin/delete_account.php file, specifically in the handling of the 'admin_id' parameter. Due to insufficient input validation or sanitization, an attacker can manipulate this parameter to inject arbitrary SQL commands. This flaw allows remote attackers to execute unauthorized SQL queries on the backend database without requiring any authentication or user interaction. The vulnerability is exploitable over the network (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), indicating partial compromise potential. The vulnerability has a CVSS v4.0 base score of 6.9, categorized as medium severity. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability could allow attackers to delete or manipulate administrative accounts, potentially leading to unauthorized access, data leakage, or disruption of hotel reservation services. Given the critical nature of administrative account management, exploitation could facilitate further lateral movement or privilege escalation within affected environments. The lack of patches or vendor-provided fixes at the time of disclosure increases the urgency for mitigation.

For European organizations using the Simple Online Hotel Reservation System version 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized deletion or modification of administrative accounts, resulting in loss of control over the reservation system. This may cause operational disruptions, data integrity issues, and potential exposure of sensitive customer data, including personally identifiable information (PII) and payment details. Hotels and hospitality businesses relying on this system could face reputational damage, regulatory penalties under GDPR for data breaches, and financial losses due to service downtime or fraud. Additionally, attackers gaining administrative access might pivot to other internal systems, amplifying the impact. The medium CVSS score reflects a moderate but tangible threat, especially given the ease of remote exploitation without authentication. Organizations with limited cybersecurity maturity or lacking network segmentation are particularly vulnerable. The threat is more acute for entities with high customer volumes or critical dependency on online booking platforms.

Implement immediate input validation and parameterized queries (prepared statements) in /admin/delete_account.php to prevent SQL injection. Apply web application firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the 'admin_id' parameter. Restrict access to administrative endpoints by IP whitelisting or VPN-only access to reduce exposure. Conduct thorough code reviews and security testing (including automated static and dynamic analysis) on all input handling in the application. Monitor logs for unusual database queries or repeated failed attempts to manipulate 'admin_id' parameters. Isolate the hotel reservation system in a segmented network zone to limit lateral movement if compromised. Develop and deploy patches or upgrade to a fixed version once available from the vendor. Educate IT staff and administrators about this vulnerability and the importance of timely updates and monitoring. Consider temporary disabling or restricting the delete_account.php functionality if feasible until a patch is applied.