CVE-2025-7475 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Car Rental System, specifically within the /pay.php file. The vulnerability arises from improper sanitization or validation of the 'mpesa' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 score is 6.9, indicating a medium severity level, with a vector showing network attack vector, low attack complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability. Although the exploit has been publicly disclosed, there are no known exploits actively used in the wild at this time. The lack of available patches or fixes increases the risk for organizations still running this vulnerable version. The Simple Car Rental System is a web-based application used for managing car rental services, and a successful SQL injection attack could lead to data leakage, unauthorized data manipulation, or disruption of service.

For European organizations using the Simple Car Rental System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and transactional data. Attackers exploiting this flaw could extract sensitive information such as customer identities, payment details, and rental histories, potentially leading to privacy violations under GDPR. Additionally, data manipulation could disrupt business operations, causing financial loss and reputational damage. The ability to execute the attack remotely without authentication increases the threat surface, especially for organizations with externally accessible payment modules. Given the critical nature of payment processing in rental services, exploitation could also impact availability if attackers corrupt or delete database records. This could result in service outages or incorrect billing, further affecting customer trust and regulatory compliance.

Organizations should immediately audit their use of the Simple Car Rental System and identify any instances of version 1.0 in production. Since no official patches are currently available, mitigation should focus on implementing input validation and parameterized queries or prepared statements for the 'mpesa' parameter in /pay.php to prevent SQL injection. Web application firewalls (WAFs) can be configured to detect and block SQL injection attempts targeting this parameter. Additionally, network segmentation and restricting external access to payment processing endpoints can reduce exposure. Regular database backups and monitoring for unusual query patterns or data anomalies should be established to detect and recover from potential exploitation. Organizations should also plan to upgrade to a patched or newer version of the software once available or consider alternative solutions with better security postures.