CVE-2025-7475 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Car Rental System, specifically within the /pay.php file. The vulnerability arises from improper sanitization or validation of the 'mpesa' parameter, which an attacker can manipulate remotely without any authentication or user interaction. This allows the attacker to inject malicious SQL queries directly into the backend database. Exploiting this flaw could enable unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the system's data. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The absence of patches or mitigation links suggests that organizations using this software must proactively address the issue to prevent exploitation.

For European organizations using the Simple Car Rental System 1.0, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive customer and payment data, undermining data privacy obligations under GDPR. It could also result in financial fraud, service disruption, and reputational damage. Given the critical nature of car rental services in tourism and transportation sectors across Europe, a breach could disrupt operations and erode customer trust. Furthermore, the ability to exploit this vulnerability remotely without authentication increases the attack surface, making it easier for threat actors to target these organizations. The potential for data exfiltration or manipulation could also have legal and regulatory consequences, including fines and mandatory breach notifications.

Organizations should immediately audit their use of the Simple Car Rental System 1.0 and isolate any instances running the vulnerable version. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'mpesa' parameter; 2) Apply input validation and sanitization at the application level, especially for all parameters interacting with the database; 3) Employ parameterized queries or prepared statements in the codebase to prevent injection; 4) Restrict database user privileges to the minimum necessary to limit the impact of a successful injection; 5) Monitor logs for unusual database queries or access patterns indicative of exploitation attempts; 6) Consider temporarily disabling or restricting access to the /pay.php endpoint until a patch or update is available; 7) Engage with the vendor or community to obtain updates or patches as soon as they are released.