CVE Alert: CVE-2025-9425 – itsourcecode – Online Tour and Travel Management System

Risk verdict

High risk due to a publicly released, remotely exploitable SQL injection in enquiry.php pid parameter; PoC exists, exploitation can be attempted without authentication.

Why this matters

The vulnerability enables potential data exfiltration or tampering with bookings and related records, and may cause service disruption. Because the web component is internet-facing, automated scanners could exploit broadly across affected deployments, affecting customer data and operations.

Most likely attack path

No user interaction or credentials required; remote attacker sends crafted pid values over HTTP to the vulnerable endpoint. The issue’s SQL injection can read or modify database data, with potential lateral movement limited by application privileges but possible if DB credentials reside on the same host or are exposed via the app.

Who is most exposed

Public deployments of itsourcecode Online Tour and Travel Management System 1.0, common among small to mid-sized travel agencies, hosting providers, or SaaS vendors that expose enquiry.php to customers.

Detection ideas

• Suspicious pid parameters in enquiry.php requests with SQL syntax
• Database error messages or unusual error traces in app/web server logs
• WAF/IPS alerts for SQLi payloads (UNION SELECT, tautologies, etc.)
• Unusual spikes in 500s or query latency around enquiry.php
• Anomalous data returned to users following enquiry submissions

Mitigation and prioritisation

• Apply vendor patch or upgrade to patched version; if unavailable, implement immediate code fix.
• Replace dynamic queries with prepared statements/parameterised queries.
• Input validation and strict whitelisting for pid; disable verbose error output.
• Enable WAF rules targeting SQLi patterns; implement rate limiting and IP filtering.
• Plan patch deployment in a controlled window; verify logs and monitor for exploitation attempts.