CVE-2025-9700 is a SQL Injection vulnerability identified in SourceCodester Online Book Store version 1.0, specifically within the /publisher_list.php file. The vulnerability arises from improper sanitization or validation of the 'pubid' parameter, which is used in SQL queries. An attacker can manipulate this parameter remotely without any authentication or user interaction to inject malicious SQL code. This can lead to unauthorized access to the backend database, allowing attackers to read, modify, or delete data. Given the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P), the attack is network exploitable with low attack complexity, requires no privileges or user interaction, and can partially impact confidentiality, integrity, and availability. The vulnerability does not affect system components beyond the application scope, but the potential for data leakage or manipulation remains significant. No patches or fixes have been published yet, and while no known exploits are currently observed in the wild, the public availability of exploit code increases the risk of exploitation.

For European organizations using SourceCodester Online Book Store 1.0, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized disclosure of sensitive customer data, including personal information and transaction records, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, affecting business operations and trustworthiness. Availability impacts are limited but possible if attackers execute destructive SQL commands. The lack of authentication requirement means attackers can target these systems remotely, increasing exposure. Organizations relying on this software for e-commerce or digital content distribution may face reputational damage and financial losses if exploited. Additionally, regulatory fines and legal consequences could arise from data breaches. The medium severity rating suggests that while the threat is serious, it is not critical, but timely remediation is essential to prevent escalation.

Organizations should immediately audit their use of SourceCodester Online Book Store 1.0 and identify any instances of the vulnerable /publisher_list.php endpoint. As no official patch is available, applying input validation and parameterized queries or prepared statements to the 'pubid' parameter is critical to prevent SQL injection. Employing web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting 'pubid' can provide temporary protection. Regularly monitoring logs for suspicious query patterns and unusual database activity is advised. Organizations should also consider isolating the affected application from sensitive backend systems and databases to limit potential damage. Updating or migrating to a more secure and actively maintained e-commerce platform should be planned. Finally, ensure that backups are current and tested to enable recovery in case of data corruption or loss.