CVE-2025-8378 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hotel Reservation System, specifically within the /admin/index.php file related to the Login component. The vulnerability arises due to improper sanitization or validation of the username and password parameters, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. Given that the vulnerability is located in the administrative login functionality, exploitation could allow attackers to bypass authentication controls, escalate privileges, or extract sensitive information such as user credentials, booking details, or payment information. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of remote exploitation without privileges or user interaction, but with limited impact on confidentiality, integrity, and availability. However, the criticality classification in the description suggests that the real-world impact could be significant depending on deployment context. No official patches have been released yet, and while no known exploits are currently observed in the wild, public disclosure increases the risk of exploitation attempts. The vulnerability affects only version 1.0 of the product, which is a niche hotel reservation system likely used by small to medium hospitality businesses. The lack of authentication requirement and remote exploitability make this a high-risk vulnerability for affected installations.

For European organizations using Campcodes Online Hotel Reservation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and business data. Exploitation could lead to unauthorized access to personal guest information, payment details, and internal booking records, potentially violating GDPR data protection regulations. The compromise of administrative access could also disrupt hotel operations by altering or deleting reservations, causing reputational damage and financial losses. Since the vulnerability allows remote exploitation without authentication, attackers could target multiple installations across Europe, especially those with internet-facing administrative interfaces. The impact extends beyond data theft to potential service disruption, undermining trust in the affected hospitality providers. Additionally, the exposure of sensitive customer data could lead to regulatory fines and legal consequences under European data privacy laws.

Given the absence of an official patch, European organizations should immediately implement compensating controls. These include restricting access to the /admin/index.php endpoint via network-level controls such as IP whitelisting or VPN-only access to the administrative interface. Web Application Firewalls (WAFs) should be configured with specific SQL Injection detection and blocking rules targeting the username and password parameters. Input validation and sanitization should be enforced at the application level if source code access is available, applying parameterized queries or prepared statements to eliminate injection vectors. Regular monitoring of logs for suspicious login attempts or unusual database errors is essential to detect exploitation attempts early. Organizations should also consider isolating the affected system from critical networks and backing up data to enable rapid recovery. Finally, contacting the vendor for updates or patches and planning an upgrade path away from version 1.0 is critical for long-term remediation.