CVE-2025-7749 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Online Appointment Booking System. The vulnerability resides in the /admin/getmanagerregion.php file, specifically in the processing of the 'city' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector string showing no privileges required (PR:N), no user interaction (UI:N), and network attack vector (AV:N). The impact on confidentiality, integrity, and availability is low to limited, suggesting that while exploitation is feasible, the extent of damage may be constrained by the application’s architecture or database permissions. No known exploits are currently reported in the wild, and no official patches have been published yet. The vulnerability disclosure is recent, dated July 17, 2025. Given the nature of appointment booking systems, which often handle sensitive personal data and scheduling information, exploitation could lead to unauthorized data disclosure, data tampering, or disruption of service, affecting business operations and user trust.

For European organizations using the code-projects Online Appointment Booking System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and operational data. Appointment systems often store personally identifiable information (PII), including names, contact details, and appointment histories, which are protected under GDPR. Exploitation could lead to data breaches, resulting in regulatory penalties and reputational damage. Additionally, attackers could manipulate appointment data, causing operational disruptions or denial of service to legitimate users. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if the system is exposed to the internet without adequate network protections. European healthcare providers, service companies, and public sector entities relying on this software could face compliance issues and service interruptions, impacting citizens and customers. The medium CVSS score reflects a moderate but actionable threat that requires prompt attention to prevent escalation.

European organizations should immediately conduct an inventory to identify deployments of code-projects Online Appointment Booking System version 1.0. Until an official patch is released, implement strict input validation and sanitization on the 'city' parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. Employ parameterized queries or prepared statements if source code access is available to developers. Restrict access to the /admin/getmanagerregion.php endpoint via network segmentation and IP whitelisting to limit exposure. Monitor web server and database logs for unusual query patterns indicative of injection attempts. Conduct regular security assessments and penetration testing focused on injection flaws. Educate administrators on the risks and signs of exploitation. Once a vendor patch is available, prioritize its deployment. Additionally, ensure that database accounts used by the application have the least privileges necessary to limit the impact of any successful injection.