CVE-2025-7750 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Online Appointment Booking System. The flaw exists in an unspecified function within the /admin/adddoctorclinic.php file, where the 'clinic' parameter is improperly sanitized or validated. This allows an unauthenticated remote attacker to inject malicious SQL code directly into the backend database queries. Exploiting this vulnerability could enable attackers to manipulate database queries, potentially leading to unauthorized data disclosure, data modification, or deletion. The vulnerability does not require any authentication or user interaction, increasing its risk. Although the CVSS 4.0 score is 6.9 (medium severity), the vector indicates network attack with low complexity and no privileges or user interaction needed, which typically elevates the risk. The vulnerability has been publicly disclosed, but no known exploits are currently reported in the wild. The lack of available patches or mitigations in the provided data suggests that affected organizations must take immediate action to prevent exploitation. The Online Appointment Booking System is likely used by healthcare providers or clinics to manage appointments, making the confidentiality and integrity of patient data a critical concern. An attacker exploiting this vulnerability could access sensitive patient information or disrupt healthcare operations.

For European organizations, particularly healthcare providers using the affected Online Appointment Booking System version 1.0, this vulnerability poses a significant risk to patient data confidentiality and system integrity. Successful exploitation could lead to unauthorized access to sensitive personal health information, violating GDPR requirements and potentially resulting in severe legal and financial penalties. Additionally, manipulation or deletion of appointment or clinical data could disrupt healthcare services, impacting patient care and operational continuity. The remote, unauthenticated nature of the attack vector increases the likelihood of exploitation, especially if systems are exposed to the internet without adequate network protections. Given the criticality of healthcare data and the strict regulatory environment in Europe, this vulnerability could have far-reaching consequences for affected organizations, including reputational damage and loss of patient trust.

European organizations should immediately audit their deployments of the code-projects Online Appointment Booking System to identify any instances of version 1.0. In the absence of an official patch, organizations must implement compensating controls such as: 1) Restricting access to the /admin/adddoctorclinic.php endpoint via network segmentation and firewall rules to trusted IP addresses only. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'clinic' parameter. 3) Conducting thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. 4) Monitoring logs for suspicious database query patterns or repeated failed attempts to exploit the vulnerability. 5) Planning and executing an upgrade or migration to a patched or alternative appointment booking system version as soon as it becomes available. 6) Educating IT and security teams about this vulnerability and ensuring incident response plans are updated to handle potential exploitation scenarios.