EUVD-2025-21269Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in code-projects Online Appointment Booking System 1.0. This issue affects some unknown processing of the file /getdoctordaybooking.php. The manipulation of the argument cid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7539 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /getdoctordaybooking.php file via the 'cid' parameter. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. Exploitation has been publicly disclosed with proof-of-concept availability, and the vulnerability may be actively exploited in the wild.
Technical ContextAI
The vulnerability exists in the Online Appointment Booking System, a web-based PHP application typically deployed on Apache/Nginx servers with MySQL/MariaDB backends. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), manifesting as SQL injection through inadequate input validation and sanitization. The /getdoctordaybooking.php endpoint fails to properly parameterize or escape the 'cid' (likely 'clinic_id' or similar) parameter before incorporating it into SQL queries. CPE identification: cpe:2.3:a:code-projects:online_appointment_booking_system:1.0:*:*:*:*:*:*:*. The affected component processes database queries without using prepared statements or parameterized queries, allowing attackers to break out of intended query context and inject malicious SQL syntax.
RemediationAI
Immediate actions: (1) Disable or restrict network access to /getdoctordaybooking.php via WAF rules or firewall ACLs until patching is possible; (2) Implement input validation requiring 'cid' parameter to match expected numeric/alphanumeric pattern only, rejecting special SQL characters; (3) Update to a patched version if code-projects releases one (check project repository/vendor site); (4) If no patch available, implement parameterized queries using PHP prepared statements with mysqli or PDO; (5) Apply principle of least privilege to database user executing queries—restrict to SELECT-only permissions where possible; (6) Deploy SQL injection detection signatures in WAF/IDS; (7) Conduct immediate database audit for signs of compromise (examine query logs, check for unauthorized data access/modification). If patch availability is unclear, contact code-projects vendor directly for security advisory and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today