CVE-2025-9925 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Travel Management System, specifically affecting the /detail.php file. The vulnerability arises from improper sanitization or validation of the 'pid' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This could lead to unauthorized data disclosure, data modification, or even deletion of critical records. The vulnerability does not require any authentication or user interaction, making it exploitable by any remote attacker with network access to the affected system. The CVSS 4.0 base score is 6.9, categorizing it as a medium severity issue. The vector indicates that the attack is network exploitable (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently observed in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The lack of available patches or mitigation guidance from the vendor further elevates the threat. Given the nature of travel management systems, which typically handle sensitive customer data such as personal identification, travel itineraries, and payment information, exploitation could have significant privacy and operational consequences.

For European organizations using the projectworlds Travel Management System 1.0, this vulnerability poses a tangible risk to the confidentiality, integrity, and availability of sensitive travel and customer data. Exploitation could lead to unauthorized data extraction, including personal identifiable information (PII), travel plans, and potentially payment details, which would violate GDPR requirements and lead to regulatory penalties. Integrity compromise could result in altered travel bookings or fraudulent modifications, disrupting business operations and customer trust. Availability impacts could cause service outages, affecting customer experience and operational continuity. The remote and unauthenticated nature of the exploit increases the risk of automated attacks or mass exploitation attempts. European travel agencies, tour operators, and related service providers using this system could face reputational damage, financial losses, and legal consequences if the vulnerability is exploited. Additionally, attackers could leverage the compromised systems as footholds for further network intrusion or lateral movement within organizational networks.

Given the absence of official patches, European organizations should immediately implement compensating controls. These include: 1) Applying strict input validation and parameterized queries or prepared statements in the /detail.php script to prevent SQL injection; if source code modification is not feasible, consider deploying a Web Application Firewall (WAF) with rules specifically targeting SQL injection patterns on the 'pid' parameter. 2) Restricting network access to the Travel Management System to trusted IP ranges and enforcing strong network segmentation to limit exposure. 3) Monitoring web server logs and database logs for suspicious queries or repeated access attempts targeting the 'pid' parameter. 4) Conducting a thorough audit of the database for signs of unauthorized access or data manipulation. 5) Planning an upgrade or migration to a newer, patched version of the software or an alternative solution. 6) Ensuring regular backups of critical data are maintained and tested for restoration to mitigate potential data loss. 7) Educating IT staff about the vulnerability and encouraging prompt incident reporting and response.