EUVD-2025-21245Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability classified as critical was found in code-projects Online Appointment Booking System 1.0. This vulnerability affects unknown code of the file /cancelbookingpatient.php. The manipulation of the argument appointment leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7516 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /cancelbookingpatient.php endpoint via the 'appointment' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of appointment records and sensitive patient information. Public disclosure and proof-of-concept availability indicate active exploitation risk.
Technical ContextAI
The vulnerability stems from improper input validation and parameterization in the appointment cancellation functionality. The /cancelbookingpatient.php file fails to sanitize or use prepared statements for the 'appointment' parameter before incorporating it into SQL queries, enabling classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output ('Injection')). This is a type of second-order or direct injection vulnerability in a PHP-based appointment management system. The affected product is code-projects Online Appointment Booking System 1.0, a web application for managing patient appointment scheduling. CPE likely: cpe:2.3:a:code-projects:online_appointment_booking_system:1.0:*:*:*:*:*:*:*
RemediationAI
{'type': 'Patch', 'action': 'Upgrade to patched version (specific patched version not provided in available data; contact code-projects for availability)', 'priority': 'IMMEDIATE'} {'type': 'Code-Level Fix', 'action': "Implement parameterized queries/prepared statements in /cancelbookingpatient.php for the 'appointment' parameter: Use mysqli_prepare() or PDO prepared statements instead of string concatenation in SQL queries", 'priority': 'IMMEDIATE'} {'type': 'Input Validation', 'action': "Implement whitelist-based input validation for the 'appointment' parameter (e.g., numeric ID validation if appointment IDs are integers)", 'priority': 'IMMEDIATE'} {'type': 'WAF Rule', 'action': 'Deploy Web Application Firewall rules to detect and block SQL injection patterns in /cancelbookingpatient.php requests', 'priority': 'INTERIM'} {'type': 'Database Security', 'action': 'Apply principle of least privilege: restrict database user account permissions to only necessary operations (SELECT, UPDATE on appointment tables, not DROP/ALTER)', 'priority': 'HIGH'} {'type': 'Monitoring', 'action': 'Enable database query logging and implement alerts for suspicious SQL patterns (UNION, comments, time-delays) on this endpoint', 'priority': 'HIGH'}
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today