CVE-2025-8972 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability arises from improper sanitization or validation of the 'email' parameter in the /admin/page-login.php file. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended SQL queries executed by the backend database. This can lead to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability does not require authentication or user interaction, making it accessible to unauthenticated remote attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting a network attack vector with low complexity and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability allows partial compromise of the database. No official patches or mitigations have been published yet, and while no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation.

For European organizations using the itsourcecode Online Tour and Travel Management System, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive customer and business data. Tour and travel management systems typically handle personal identifiable information (PII), booking details, payment information, and other sensitive data. Exploitation could lead to data breaches, loss of customer trust, regulatory penalties under GDPR, and operational disruptions. Since the vulnerability is remotely exploitable without authentication, attackers could automate attacks to extract or manipulate data, potentially impacting business continuity. The medium severity score suggests a moderate but tangible risk, especially for organizations that have not implemented compensating controls or network segmentation. The lack of patches increases exposure time, and organizations relying on this software should consider immediate mitigation steps to prevent exploitation.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Apply Web Application Firewall (WAF) rules tailored to detect and block SQL injection attempts targeting the 'email' parameter on /admin/page-login.php. 2) Restrict access to the admin login page by IP whitelisting or VPN-only access to reduce exposure. 3) Conduct immediate code review and implement input validation and parameterized queries or prepared statements for the 'email' parameter to prevent injection. 4) Monitor database logs and web server logs for unusual query patterns or repeated failed login attempts indicative of exploitation attempts. 5) If feasible, isolate the affected system in a segmented network zone to limit lateral movement in case of compromise. 6) Prepare incident response plans specific to data breaches involving customer information to comply with GDPR notification requirements. 7) Engage with the vendor or community to track patch releases and apply updates promptly once available.