CVE-2025-63622 identifies a critical SQL injection vulnerability in the Online Complaint Site 1.0 developed by code-projects. The vulnerability exists in the processing of the 'category' argument within the /cms/admin/subcategory.php script. Due to insufficient input sanitization or improper query construction, an attacker can inject malicious SQL code that alters the intended database queries. This flaw allows remote attackers to execute arbitrary SQL commands without authentication or user interaction, potentially leading to unauthorized data disclosure, data modification, or complete database compromise. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the vulnerability's characteristics make it highly exploitable. The lack of available patches at the time of disclosure increases the urgency for organizations to implement compensating controls. This vulnerability primarily affects installations of the Online Complaint Site 1.0, which may be used by organizations managing citizen complaints or customer feedback through web-based CMS platforms.

For European organizations, this vulnerability poses a severe risk, especially for public sector entities and private companies relying on the affected complaint management system. Exploitation could lead to unauthorized access to sensitive complaint data, including personal information of citizens or customers, violating GDPR and other data protection regulations. Data integrity could be compromised, allowing attackers to alter complaint records or administrative data, undermining trust and operational reliability. Availability impacts could result from destructive SQL commands, causing service outages and disrupting complaint handling processes. The critical severity and ease of exploitation mean attackers can remotely compromise systems without authentication, increasing the likelihood of attacks. This could lead to reputational damage, regulatory penalties, and financial losses. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score demands immediate attention.

Given the absence of official patches, European organizations should prioritize immediate mitigation steps: 1) Implement strict input validation and sanitization on the 'category' parameter to reject or neutralize malicious input. 2) Employ parameterized queries or prepared statements in the backend code to prevent SQL injection. 3) Restrict access to the /cms/admin/ directory using network segmentation, IP whitelisting, or VPN access to reduce exposure. 4) Monitor web application logs for suspicious SQL syntax or anomalous request patterns targeting the 'category' parameter. 5) Conduct code reviews and penetration testing focused on SQL injection vectors within the complaint management system. 6) If possible, temporarily disable or restrict the vulnerable functionality until a vendor patch is released. 7) Educate administrators on the risks and signs of exploitation attempts. 8) Maintain regular backups of the database to enable recovery in case of compromise. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and attack vector.