CVE-2025-9052 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Travel Management System, specifically within the /updatepackage.php file. The vulnerability arises from improper sanitization or validation of the 's1' parameter, which allows an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or deletion. The CVSS 4.0 base score of 6.9 reflects a medium severity, indicating that while the attack vector is network-based and requires no privileges or user interaction, the impact on confidentiality, integrity, and availability is limited to low levels. The vulnerability does not affect system confidentiality, integrity, or availability to a critical extent but still poses a significant risk due to the possibility of data leakage or unauthorized changes. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts. The lack of available patches or mitigations from the vendor further heightens the urgency for organizations using this software to implement protective measures.

For European organizations using projectworlds Travel Management System 1.0, this vulnerability could lead to unauthorized access to sensitive travel-related data, including personal information of customers and business travel details. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could alter booking or travel management data, disrupting business operations and causing financial losses. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in organizations that expose this system to the internet without adequate network segmentation or web application firewalls. Given the travel industry's critical role in Europe’s economy and the sensitivity of travel data, exploitation could have cascading effects on partner organizations and customers.

Organizations should immediately audit their use of projectworlds Travel Management System 1.0 and restrict external access to the /updatepackage.php endpoint, ideally isolating the system behind a VPN or internal network. Implementing a Web Application Firewall (WAF) with specific SQL injection detection and prevention rules targeting the 's1' parameter can help block exploitation attempts. Input validation and parameterized queries should be enforced if source code access is available, or the vendor should be contacted for an official patch or update. Regular monitoring of logs for suspicious SQL query patterns or anomalous database activity is recommended. Additionally, organizations should conduct penetration testing focused on SQL injection vectors and prepare incident response plans for potential data breaches. If feasible, migrating to a newer, patched version or alternative software should be considered.