CVE-2025-9789 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Online Hotel Reservation System, specifically within the /admin/edituser.php file. The vulnerability arises from improper sanitization or validation of the 'userid' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no authentication required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to limited, suggesting that while the attacker can manipulate some data or retrieve limited information, the overall damage scope is constrained. No known exploits are currently reported in the wild, but public exploit code is available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche online hotel reservation system, likely used by small to medium hospitality businesses. The lack of patches or vendor-provided fixes at the time of publication increases the urgency for mitigation.

For European organizations, especially those in the hospitality sector using the SourceCodester Online Hotel Reservation System version 1.0, this vulnerability poses a risk of unauthorized data access or modification. Attackers could leverage the SQL injection to extract sensitive user information, including personal details of hotel guests or administrative users, potentially leading to privacy violations under GDPR. Additionally, attackers might alter reservation data or user credentials, disrupting business operations and damaging customer trust. Although the impact is rated medium, the hospitality industry is a frequent target for cyberattacks due to the valuable personal and payment data processed. Exploitation could also lead to reputational damage and regulatory penalties. Given the remote and unauthenticated nature of the exploit, attackers could scan for vulnerable instances across Europe and launch automated attacks, increasing the threat surface for affected organizations.

Organizations should immediately audit their use of the SourceCodester Online Hotel Reservation System to identify if version 1.0 is deployed. Since no official patches are currently available, mitigation should focus on implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'userid' parameter in /admin/edituser.php. Input validation and parameterized queries should be enforced in the application code to prevent injection. If possible, upgrade to a newer, patched version of the software or consider migrating to a more secure reservation system. Network segmentation and restricting administrative interface access to trusted IP addresses can reduce exposure. Regular security assessments and penetration testing should be conducted to identify similar injection points. Monitoring logs for unusual database queries or failed injection attempts can provide early detection of exploitation attempts.