CVE-2025-3856 is a critical SQL injection vulnerability identified in version 5.1.0 of the xxyopen Novel-Plus software, specifically within the searchByPage function located in the /book/searchByPage endpoint. The vulnerability arises due to improper sanitization or validation of the 'sort' parameter, which is directly incorporated into SQL queries without adequate escaping or parameterization. This flaw allows an attacker to inject arbitrary SQL code remotely by manipulating the 'sort' argument, potentially enabling unauthorized access to the backend database. Exploitation could lead to unauthorized data disclosure, data modification, or even full compromise of the database server. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing the risk profile. Although the vendor was notified early, no response or patch has been issued, and while no known exploits have been observed in the wild yet, the public disclosure of the exploit code increases the likelihood of imminent attacks. The lack of vendor response and patch availability further exacerbates the risk for organizations using this specific version of Novel-Plus.

For European organizations using xxyopen Novel-Plus 5.1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their data. Given that Novel-Plus is likely used for managing or distributing digital content (e.g., novels or publications), exploitation could lead to unauthorized access to sensitive user data, intellectual property theft, or manipulation of content databases. This could damage organizational reputation, lead to regulatory non-compliance (especially under GDPR), and cause operational disruptions. The ability to execute arbitrary SQL commands remotely without authentication means attackers can potentially extract large volumes of data or corrupt databases, impacting service availability. Organizations in sectors such as publishing, education, or digital media in Europe could face targeted attacks, especially if they rely on this software for critical business functions.

Given the absence of an official patch, European organizations should immediately implement compensating controls. First, apply strict input validation and sanitization on the 'sort' parameter at the web application firewall (WAF) or reverse proxy level, blocking suspicious SQL keywords or patterns. Employ parameterized queries or prepared statements if possible by modifying the application code. Restrict database user permissions to the minimum necessary, preventing the application account from performing destructive operations. Monitor logs for unusual query patterns or repeated access to /book/searchByPage with anomalous 'sort' values. Network segmentation should isolate the application and database servers to limit lateral movement. If feasible, temporarily disable or restrict access to the vulnerable endpoint until a patch or vendor response is available. Additionally, conduct regular backups of the database to enable recovery in case of compromise. Organizations should also engage with the vendor or community for updates and consider alternative software if the vendor remains unresponsive.