CVE-2025-0297 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Online Book Shop application. The vulnerability resides in the /detail.php file, specifically in the handling of the 'id' parameter. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability can be exploited remotely without requiring user interaction or prior authentication, making it accessible to a wide range of attackers. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) suggests that the attack can be performed over the network with low complexity, no user interaction, and requires low privileges. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability could allow an attacker to read or alter data with some restrictions. No public exploits have been reported in the wild yet, and no patches or mitigations have been officially released by the vendor. This vulnerability is critical to address due to the potential for data leakage or unauthorized data manipulation in an e-commerce context, which could lead to financial fraud or loss of customer trust.

For European organizations using the code-projects Online Book Shop 1.0, this vulnerability poses a risk of unauthorized data access and manipulation. Given the nature of online book shops, sensitive customer information such as personal details, purchase history, and payment data could be exposed or altered. This could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Additionally, attackers could manipulate product or pricing data, causing financial losses or disrupting business operations. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if the application is publicly accessible. Organizations relying on this software may face operational disruptions and customer trust erosion if the vulnerability is exploited. The medium severity rating suggests that while the impact is significant, it may not lead to complete system compromise or widespread availability loss, but the risk remains substantial in the e-commerce sector.

1. Immediate code review and sanitization of the 'id' parameter in /detail.php to prevent SQL injection, using parameterized queries or prepared statements. 2. Implement web application firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the vulnerable parameter. 3. Restrict database user privileges to the minimum necessary to limit the impact of any successful injection. 4. Conduct thorough security testing, including automated and manual penetration testing focused on injection flaws. 5. Monitor application logs for unusual query patterns or repeated failed attempts to exploit the 'id' parameter. 6. If possible, upgrade or patch the application once the vendor releases a fix. 7. Educate development teams on secure coding practices to prevent similar vulnerabilities in future releases. 8. Isolate the vulnerable application in a segmented network zone to reduce exposure.