CVE-2025-7611 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Wedding Reservation application. The vulnerability resides in an unspecified portion of the /global.php file, specifically involving the manipulation of the 'lu' argument. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. The injection can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the application's data. The vulnerability is exploitable without any authentication or user interaction, increasing its risk profile. Although the CVSS v4.0 score is 6.9 (medium severity), the nature of SQL injection vulnerabilities often warrants heightened concern due to their potential for severe impact. The exploit details have been publicly disclosed, which increases the likelihood of exploitation attempts. No official patches or fixes have been published yet, and there are no known exploits actively used in the wild at this time. The vulnerability affects only version 1.0 of the Wedding Reservation product, which is a niche application used for managing wedding event bookings and reservations.

For European organizations using the code-projects Wedding Reservation 1.0 software, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data, including personal information related to wedding clients and event details. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could manipulate or delete reservation data, disrupting business operations and causing financial losses. Since the vulnerability allows remote exploitation without authentication, attackers could target these systems over the internet, increasing the attack surface. Organizations relying on this software for event management may face operational downtime and loss of customer trust if exploited. The lack of a patch means organizations must rely on mitigation strategies until an official fix is available.

1. Immediate mitigation should include implementing Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'lu' parameter in /global.php. 2. Conduct a thorough code review and input validation enhancement for all parameters, especially 'lu', to ensure proper sanitization and use of parameterized queries or prepared statements. 3. Restrict external access to the Wedding Reservation application by limiting network exposure through VPNs or IP whitelisting where feasible. 4. Monitor application logs for unusual query patterns or repeated failed attempts that could indicate exploitation attempts. 5. If possible, isolate the affected application environment to minimize lateral movement in case of compromise. 6. Engage with the vendor or community to obtain or develop patches or updated versions that address this vulnerability. 7. Educate staff about the risks and signs of exploitation to enable early detection and response. 8. As a longer-term measure, consider migrating to more secure and actively maintained event management solutions.