CVE-2025-9050 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Travel Management System, specifically within the /addcategory.php file. The vulnerability arises from improper sanitization or validation of the 't1' parameter, which an attacker can manipulate to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands against the backend database without any user interaction or privileges. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no authentication (PR:N), no user interaction (UI:N), and has low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability is exploitable remotely, and while no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The lack of patches or mitigation guidance from the vendor at this time further elevates the risk. SQL Injection vulnerabilities can lead to unauthorized data access, data modification, or deletion, and potentially full system compromise depending on the database privileges. Given the nature of the Travel Management System, sensitive customer and travel data could be exposed or manipulated, impacting business operations and privacy compliance.

For European organizations using the projectworlds Travel Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive travel-related data, including personal identification, booking details, and payment information. Exploitation could lead to unauthorized data disclosure, data tampering, or disruption of travel management services, which may result in operational downtime and reputational damage. Additionally, given the strict data protection regulations in Europe such as GDPR, any data breach resulting from this vulnerability could lead to substantial regulatory fines and legal consequences. The remote and unauthenticated nature of the exploit increases the likelihood of attacks originating from external threat actors targeting European travel agencies or service providers. The medium severity rating suggests that while the impact is serious, it may not lead to full system takeover without additional vulnerabilities or misconfigurations. However, the public availability of exploit code lowers the barrier for attackers, increasing the urgency for mitigation.

European organizations should immediately audit their use of projectworlds Travel Management System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations should implement the following mitigations: 1) Apply Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 't1' parameter in /addcategory.php. 2) Conduct input validation and sanitization on all user-supplied inputs, especially the 't1' parameter, using parameterized queries or prepared statements to prevent injection. 3) Restrict database user privileges to the minimum necessary, ensuring the database account used by the application cannot perform destructive operations. 4) Monitor logs for unusual database queries or errors indicative of injection attempts. 5) Isolate the Travel Management System in a segmented network zone to limit lateral movement in case of compromise. 6) Educate development and security teams about secure coding practices to prevent similar vulnerabilities in future versions. Prompt incident response plans should be prepared in case exploitation is detected.