CVE-2025-9925 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Travel Management System, specifically affecting the /detail.php file. The vulnerability arises from improper sanitization or validation of the 'pid' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This could lead to data leakage, unauthorized data modification, or even full compromise of the database depending on the database permissions and structure. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated low individually but combined could be significant depending on the data stored. No patches or fixes have been published yet, and while no known exploits are currently in the wild, the exploit code has been made public, increasing the risk of exploitation.

For European organizations using the projectworlds Travel Management System 1.0, this vulnerability poses a risk of unauthorized access to sensitive travel and personal data stored in the system's database. This could lead to breaches of personal data protected under GDPR, resulting in legal and financial penalties. The ability to remotely exploit the vulnerability without authentication increases the risk of automated attacks and data exfiltration. Additionally, attackers could alter booking or travel information, impacting business operations and customer trust. Given the travel industry's importance in Europe, including airlines, travel agencies, and tourism services, exploitation could disrupt services and damage reputations. The medium severity rating suggests that while the vulnerability is serious, the impact might be mitigated if the database permissions are properly restricted or if the system is isolated from the public internet.

Organizations should immediately audit their use of projectworlds Travel Management System 1.0 and restrict access to the /detail.php endpoint, especially the 'pid' parameter. Implementing a Web Application Firewall (WAF) with SQL injection detection rules can help block exploit attempts. Input validation and parameterized queries should be enforced in the application code to prevent injection. Since no official patch is available, organizations should consider isolating the affected system from public networks or applying network-level access controls. Regular database permission reviews should be conducted to ensure least privilege principles are applied. Monitoring logs for unusual query patterns or access to /detail.php can help detect exploitation attempts early. Organizations should also prepare incident response plans specific to data breaches involving travel management data.