CVE-2025-7752 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Online Appointment Booking System. The vulnerability exists in the /admin/deletedoctor.php file, where improper sanitization or validation of input parameters allows an attacker to manipulate SQL queries. This flaw enables remote attackers to inject malicious SQL code without requiring authentication or user interaction. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 6.9, reflecting its network attack vector, low complexity, and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as the injected SQL commands could allow unauthorized data access or modification, potentially affecting patient or appointment data. Although no public exploits are currently known in the wild, the disclosure of the vulnerability increases the risk of exploitation. The absence of an official patch or mitigation guidance from the vendor further elevates the threat to organizations using this system. The vulnerability specifically targets the administrative functionality related to doctor record deletion, which is a critical operation in healthcare appointment management systems.

For European organizations, particularly healthcare providers and clinics using the code-projects Online Appointment Booking System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access or manipulation of sensitive patient and appointment data, violating data protection regulations such as GDPR. Data integrity issues could disrupt appointment scheduling, impacting patient care and operational continuity. Confidentiality breaches could expose personal health information, leading to reputational damage and potential legal penalties. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation by threat actors, including cybercriminals targeting healthcare infrastructure. Given the critical role of appointment systems in healthcare workflows, any disruption or data compromise could have cascading effects on service delivery and patient trust across European healthcare institutions.

Organizations should immediately conduct an audit of their systems to identify deployments of the affected Online Appointment Booking System version 1.0. As no official patches are available, administrators should implement strict input validation and sanitization on the /admin/deletedoctor.php endpoint to prevent SQL injection. Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this endpoint can provide interim protection. Restricting access to the administrative interface via network segmentation, VPNs, or IP whitelisting will reduce exposure. Regular monitoring of logs for suspicious SQL query patterns or unusual administrative actions is critical for early detection. Organizations should also consider migrating to alternative appointment booking solutions with active security support or upgrading to patched versions once available. Finally, maintaining robust backups and incident response plans will help mitigate the impact of any successful exploitation.