Online Appointment Booking System
CVE-2025-14939
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Online Appointment Booking System 1.0. Impacted is an unknown function of the file /admin/deletemanager.php. The manipulation of the argument managername results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
AnalysisAI
SQL injection in code-projects Online Appointment Booking System 1.0 allows high-privilege remote attackers to manipulate the managername parameter in /admin/deletemanager.php, resulting in limited confidentiality and integrity impact. EPSS score of 0.05% and CVSS 2.0 reflect the high privilege requirement (PR:H), which severely constrains real-world exploitability despite public POC availability.
Technical ContextAI
The vulnerability exists in PHP file /admin/deletemanager.php where user-supplied input via the managername parameter is not properly sanitized before being incorporated into SQL queries, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The vulnerability requires high-level administrative credentials to exploit, indicating inadequate input validation in what is likely an authenticated admin panel function. The SQL injection mechanism allows attackers with admin access to read or modify database records beyond the intended scope of the deletemanager operation.
RemediationAI
Upgrade to a patched version if available from code-projects; vendor patch status is not confirmed from available data. As interim compensating controls pending patching: apply strict input validation and parameterized prepared statements to all SQL queries in /admin/deletemanager.php to neutralize SQL metacharacters; restrict admin panel access (/admin/*) to a whitelist of internal IP addresses via web server configuration (e.g., Apache .htaccess or nginx allow/deny directives); enforce strong, unique administrative passwords and implement account lockout policies after failed login attempts to reduce credential compromise risk; monitor admin panel access logs for unusual SQL-like input patterns in managername parameters. Disable the /admin/deletemanager.php function entirely if manager deletion is not actively used, as this eliminates the attack surface with no functionality loss.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today