CVE Alert: CVE-2025-9924 – projectworlds – Travel Management System
CVE-2025-9924
A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /enquiry.php. The manipulation of the argument t2 leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection with PoC publicly disclosed, enabling unauthenticated exploitation. Treat as a priority to patch and mitigate as soon as possible.
Why this matters
An attacker can potentially exfiltrate or modify data from the backend DB via the vulnerable input, impacting reservations, customer data and financial records. Even with partial technical impact, the combination of remote access and a publicly known exploit increases the window for automated attacks and mass scanning.
Most likely attack path
An external attacker targets the vulnerable /enquiry.php t2 parameter, sending crafted input to trigger SQL injection. No authentication or user interaction is required; the web-facing app or its DB user is probed remotely. If successful, data disclosure or manipulation could occur, with potential secondary effects depending on DB permissions and application logic.
Who is most exposed
Publicly accessible deployments of the Travel Management System, especially those exposed to the Internet and using default configurations. Organisations hosting the app on shared or unsegmented networks are at elevated risk.
Detection ideas
- Logs show SQLi-like payloads in requests to enquiry.php (t2 parameter).
- Database error messages or abnormal query latency linked to /enquiry.php.
- Web server/WAF alerts for SQL injection patterns.
- Repeated scans or failed authentication attempts from external IPs targeting that endpoint.
- Unexpected data being returned in responses to enquiry queries.
Mitigation and prioritisation
- Apply vendor patch or upgrade to fixed version immediately; verify via change-control notes.
- Enforce parameterised queries; validate and escape t2 input; implement input sanitisation.
- Disable or harden the enquiry endpoint if not essential; employ least-privilege DB accounts.
- Enable WAF/IDS rules for SQL injection signatures; tune alerts for this endpoint.
- Conduct regression testing in a staging environment; document rollback plan. EPSS/KEV data missing; treat as high-priority given PoC and remote exploit indicators.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
