The vulnerability identified as CVE-2026-4875 affects the itsourcecode Free Hotel Reservation System version 1.0. It resides in the /admin/mod_amenities/index.php file, specifically in the functionality handling the 'image' parameter when adding amenities. The flaw allows an attacker with high privileges to upload files without proper restrictions or validation, effectively enabling unrestricted file upload. This can be exploited remotely without user interaction. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), but requires high privileges (PR:H), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability could allow attackers to upload malicious scripts or files, potentially leading to unauthorized code execution, data tampering, or denial of service if the uploaded files are executed or accessed improperly. Although no public patches or exploits are currently available, the public disclosure increases the likelihood of exploitation attempts. The vulnerability is limited to version 1.0 of the product, which is a niche hotel reservation system, potentially limiting the affected population but still posing a risk to organizations relying on this software for their booking operations.

The unrestricted file upload vulnerability can lead to several adverse impacts for organizations using the affected software. Attackers with high privileges could upload malicious files such as web shells, enabling remote code execution and full system compromise. This could result in data breaches, unauthorized access to sensitive customer and business data, and disruption of hotel reservation services. The integrity of the system could be compromised by tampering with files or injecting malicious content. Availability could be impacted if attackers upload files that cause application crashes or denial of service. Although the vulnerability requires high privileges, if an attacker can escalate privileges or if administrative credentials are compromised, the risk increases significantly. The impact is particularly critical for hospitality organizations that rely on uninterrupted reservation services and handle sensitive customer information. Additionally, reputational damage and regulatory penalties could arise from exploitation of this vulnerability.

To mitigate this vulnerability, organizations should immediately restrict access to the affected administrative module to trusted personnel only and monitor for any suspicious upload activity. Implement strict server-side validation of uploaded files, including checking file types, sizes, and content signatures to prevent malicious files from being accepted. Employ web application firewalls (WAFs) with rules to detect and block malicious upload attempts. If possible, upgrade or patch the Free Hotel Reservation System to a version that addresses this vulnerability once available. In the absence of an official patch, consider disabling the vulnerable upload functionality or isolating the affected module in a segmented network environment. Regularly audit user privileges to ensure that only necessary users have high-level access. Conduct security awareness training for administrators to recognize and report suspicious activities. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential exploitation.