CVE-2025-7751 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Online Appointment Booking System. The vulnerability resides in the /admin/addclinic.php file, specifically in the handling of the 'cid' parameter. An attacker can remotely manipulate this parameter without any authentication or user interaction to inject malicious SQL code. This injection flaw allows the attacker to interfere with the backend database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known to be actively used in the wild, the exploit details have been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. The vulnerability affects an unknown functionality within the admin interface, which suggests that successful exploitation could compromise administrative operations or sensitive data related to clinic management within the booking system. Given the nature of appointment booking systems, which often store personal and scheduling information, exploitation could lead to data breaches or service disruption.

For European organizations using the affected Online Appointment Booking System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive client and operational data. Successful exploitation could allow attackers to extract patient or client information, modify appointment schedules, or disrupt service availability. This could lead to regulatory non-compliance, especially under GDPR, resulting in legal penalties and reputational damage. Healthcare providers, clinics, and service organizations relying on this system may face operational disruptions, loss of client trust, and potential financial losses. The remote and unauthenticated nature of the attack vector increases the threat level, as attackers can exploit the vulnerability without needing internal access or user credentials. Although the CVSS score suggests medium severity, the critical classification by the vendor and the public disclosure of exploit details elevate the urgency for mitigation.

To mitigate this vulnerability, European organizations should immediately upgrade to a patched version of the Online Appointment Booking System once available from the vendor. In the absence of an official patch, organizations should implement strict input validation and parameterized queries or prepared statements in the /admin/addclinic.php script to sanitize the 'cid' parameter and prevent SQL injection. Additionally, restricting access to the admin interface via network segmentation, VPNs, or IP whitelisting can reduce exposure. Implementing Web Application Firewalls (WAF) with rules to detect and block SQL injection attempts targeting the 'cid' parameter is recommended. Regular security audits and code reviews of the booking system should be conducted to identify and remediate similar injection flaws. Monitoring logs for suspicious activity related to the 'cid' parameter or admin endpoints can help detect exploitation attempts early. Finally, organizations should ensure backups of critical data are maintained to enable recovery in case of data tampering or loss.