CVE-2025-9790 is a SQL Injection vulnerability identified in SourceCodester Hotel Reservation System version 1.0. The flaw exists in the /admin/updateabout.php script, specifically in the handling of the 'address' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This vulnerability is remotely exploitable without requiring authentication or user interaction, making it particularly dangerous. The injection can lead to unauthorized data access, data modification, or potentially full compromise of the database. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of exploitation (network vector, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to limited impact). However, the vulnerability's presence in a hotel reservation system is critical because such systems typically store sensitive customer data including personal identification and payment information. The lack of a patch or mitigation details increases risk, especially since the exploit code has been publicly released, raising the likelihood of exploitation by opportunistic attackers.

For European organizations operating or using the SourceCodester Hotel Reservation System 1.0, this vulnerability poses a significant risk to customer data confidentiality and system integrity. Exploitation could lead to unauthorized disclosure of personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Additionally, attackers could alter reservation data or disrupt booking operations, impacting business continuity. Given the hospitality sector's reliance on trust and data privacy, a breach could lead to loss of customer confidence and financial losses. The remote and unauthenticated nature of the exploit increases the threat level, especially for smaller hotels or chains that may lack robust cybersecurity defenses. Furthermore, the public availability of exploit code lowers the barrier for attackers, potentially increasing attack volume and impact across Europe.

Organizations should immediately audit their use of SourceCodester Hotel Reservation System 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement web application firewall (WAF) rules specifically targeting SQL injection patterns on the /admin/updateabout.php endpoint and the 'address' parameter. Employ input validation and parameterized queries or prepared statements in the application code to prevent injection. Restrict access to the /admin directory via IP whitelisting or VPN to reduce exposure. Conduct thorough logging and monitoring for unusual database queries or access patterns. Regularly back up databases to enable recovery in case of data tampering. Finally, perform security awareness training for administrators to recognize and respond to suspicious activity promptly.