CVE-2025-7541 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Online Appointment Booking System. The vulnerability resides in the /get_town.php file, specifically in the handling of the 'countryid' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or manipulation of the backend database. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. Although the CVSS 4.0 base score is 6.9 (medium severity), the exploitability is relatively straightforward due to the lack of required privileges or user interaction. The vulnerability may also affect other parameters, increasing the attack surface. The disclosure of the exploit to the public raises the risk of exploitation, although no known exploits in the wild have been reported yet. The vulnerability impacts the confidentiality, integrity, and availability of the system's data, as SQL Injection can lead to data leakage, unauthorized data modification, or denial of service. The absence of patches or mitigation links indicates that organizations using this software must take immediate protective actions to prevent exploitation.

For European organizations using the code-projects Online Appointment Booking System version 1.0, this vulnerability poses a significant risk. Appointment booking systems often handle sensitive personal data, including names, contact details, and potentially health or service-related information. Exploitation could lead to unauthorized data disclosure, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Additionally, attackers could modify or delete appointment data, disrupting business operations and damaging customer trust. The remote and unauthenticated nature of the attack increases the likelihood of exploitation, especially if the system is exposed to the internet without adequate network protections. The medium CVSS score reflects a moderate but tangible threat level, emphasizing the need for timely mitigation to avoid reputational damage and compliance issues.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and sanitization on all parameters, especially 'countryid' in /get_town.php, to prevent SQL injection payloads. 2) Employing Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts targeting the vulnerable endpoint. 3) Restricting network access to the booking system backend by limiting exposure to trusted IPs or internal networks only. 4) Monitoring logs for unusual query patterns or errors indicative of injection attempts. 5) If possible, upgrading to a newer, patched version of the software or migrating to alternative solutions with secure coding practices. 6) Conducting regular security assessments and penetration tests focused on injection vulnerabilities. 7) Ensuring database accounts used by the application have the least privileges necessary to limit the impact of a successful injection.