CVE-2025-14961 identifies a SQL Injection vulnerability in the Simple Blood Donor Management System version 1.0 developed by code-projects. The vulnerability resides in an unspecified function within the /editedcampaign.php file, where the campaignname parameter is not properly sanitized, allowing attackers to inject arbitrary SQL code. This injection can be executed remotely without authentication or user interaction, making it accessible to any attacker with network access to the application. The vulnerability's CVSS 4.0 score is 6.9 (medium severity), reflecting its network attack vector, low attack complexity, and no required privileges or user interaction. The impact vector includes limited confidentiality, integrity, and availability impacts, indicating that attackers could potentially read or modify some data or disrupt service partially but not fully compromise the system. No patches or fixes have been publicly released yet, and no active exploitation has been reported, though a public exploit is available, increasing the risk of future attacks. The vulnerability is particularly concerning for healthcare organizations managing sensitive donor data, as SQL Injection can lead to data leakage, unauthorized data modification, or denial of service. The lack of input validation and parameterized queries in the affected code is the root cause. Remediation involves sanitizing inputs, using prepared statements, and applying the principle of least privilege to database accounts.

For European organizations, especially those in the healthcare sector using the Simple Blood Donor Management System or similar platforms, this vulnerability poses a risk of unauthorized access to sensitive personal and medical data of blood donors. Exploitation could lead to data breaches, undermining patient privacy and violating GDPR regulations, resulting in legal and financial consequences. Integrity impacts could allow attackers to alter donor records or campaign data, potentially disrupting blood donation operations and trust. Availability impacts, though limited, might cause partial service disruptions, affecting critical healthcare workflows. The public availability of an exploit increases the likelihood of opportunistic attacks, particularly targeting smaller healthcare providers with limited cybersecurity resources. This threat could also affect NGOs and government health agencies involved in blood donation campaigns across Europe, potentially compromising public health initiatives.

Organizations should immediately audit their use of the Simple Blood Donor Management System version 1.0 and identify any instances of the vulnerable /editedcampaign.php endpoint. Since no official patch is currently available, developers must implement input validation and sanitization on the campaignname parameter, ideally replacing dynamic SQL queries with parameterized prepared statements to prevent injection. Database user accounts should be restricted with minimal privileges to limit the impact of any successful injection. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this endpoint. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities. Additionally, organizations must monitor logs for suspicious database queries or anomalies indicating exploitation attempts. Finally, planning for an upgrade or migration to a patched or alternative blood donor management system is recommended once a fix is released.