CVE-2025-7539 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Online Appointment Booking System. The vulnerability arises from improper sanitization of the 'cid' parameter in the /getdoctordaybooking.php endpoint. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. This could lead to data leakage, data corruption, or unauthorized administrative actions within the application. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. Although the CVSS 4.0 base score is 6.9 (medium severity), the vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. The exploit has been publicly disclosed but there are no confirmed reports of active exploitation in the wild. The affected product is a niche online appointment booking system, likely used by healthcare providers or service organizations to manage scheduling. The lack of available patches or mitigation guidance increases the risk for organizations still running version 1.0 of this software.

For European organizations, particularly those in healthcare, wellness, or service sectors relying on the code-projects Online Appointment Booking System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive patient or client scheduling data, violating GDPR and other privacy regulations. Data integrity could be compromised, affecting appointment accuracy and operational reliability. Availability impacts could disrupt booking services, leading to reputational damage and operational downtime. Given the remote exploitability without authentication, attackers could leverage this vulnerability to gain footholds in organizational networks, potentially escalating attacks. The medium CVSS score may underestimate the real-world impact due to the sensitive nature of appointment data and regulatory implications in Europe.

Organizations should immediately assess their exposure by identifying deployments of code-projects Online Appointment Booking System version 1.0. Since no official patches are currently available, mitigation should focus on implementing Web Application Firewall (WAF) rules specifically targeting SQL injection attempts on the 'cid' parameter in /getdoctordaybooking.php. Input validation and parameterized queries should be enforced if source code access is possible. Network segmentation should isolate the booking system from critical infrastructure to limit lateral movement. Monitoring and logging of database queries and web requests should be enhanced to detect anomalous activity. Organizations should also prepare for rapid patch deployment once an official fix is released and consider temporary alternative booking solutions if risk is unacceptable. Regular security audits and penetration testing focusing on injection flaws are recommended to prevent similar vulnerabilities.