EUVD-2025-21268Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability, which was classified as critical, was found in code-projects Online Appointment Booking System 1.0. Affected is an unknown function of the file /getclinic.php. The manipulation of the argument townid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
AnalysisAI
CVE-2025-7540 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System 1.0 affecting the /getclinic.php file's townid parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the database. The vulnerability has been publicly disclosed with exploit code available, creating immediate operational risk for deployed instances.
Technical ContextAI
The vulnerability exists in the Online Appointment Booking System (a PHP-based web application), specifically in the /getclinic.php endpoint which likely queries clinic data filtered by geographic location (townid parameter). The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating insufficient input validation/sanitization before SQL query construction. The townid parameter is passed directly into SQL statements without prepared statements or parameterized queries. This is a classic second-order SQL injection or direct SQL injection scenario where user input flows unsanitized into database queries. PHP applications using mysqli or PDO without proper prepared statement usage are particularly susceptible.
RemediationAI
- IMMEDIATE: Apply input validation and sanitization to the townid parameter—implement allowlist validation (e.g., numeric-only if townid should be numeric) before SQL usage. 2) PRIMARY FIX: Refactor /getclinic.php to use parameterized queries/prepared statements with bound parameters (mysqli prepared statements or PDO prepared statements) instead of string concatenation for SQL construction. 3) Update to the latest patched version of Online Appointment Booking System once released by code-projects. 4) SHORT-TERM MITIGATION: Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the townid parameter (e.g., block payloads containing SQL keywords: UNION, SELECT, OR 1=1). 5) Apply principle of least privilege to database user credentials used by the application. 6) No vendor advisory URL was provided; check code-projects official repository or security advisories for patch availability. 7) Conduct code review of all similar parameter handling throughout the application.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today