Which versions of PHP are affected by CVE-2025-7541?

A publicly disclosed SQL injection vulnerability in the Online Appointment Booking System exposes customer data and system integrity to remote attack with no vendor patch currently available.

Is there a public PoC exploit available for CVE-2025-7541?

Yes, a public proof-of-concept exploit is available for CVE-2025-7541. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-7541?

Within 24 hours: Isolate affected systems from untrusted networks and disable /get_town.php endpoint if non-critical, or restrict access to trusted IPs only. Within 7 days: Deploy WAF rules to block SQL injection patterns in the countryid parameter and conduct database access logging audit. Within 30 days: Evaluate migration to patched version when released, implement input validation/parameterized queries if source code accessible, or replace system entirely if vendor abandons support.

PHP CVE-2025-7541

Q: What is the CVSS score of CVE-2025-7541?

CVE-2025-7541 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-21272 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-13 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 16, 2026 - 09:18 euvd

EUVD-2025-21272

Analysis Generated

Mar 16, 2026 - 09:18 vuln.today

PoC Detected

Jul 16, 2025 - 14:37 vuln.today

Public exploit code

CVE Published

Jul 13, 2025 - 21:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability has been found in code-projects Online Appointment Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /get_town.php. The manipulation of the argument countryid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

AnalysisAI

CVE-2025-7541 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, affecting the /get_town.php endpoint where the 'countryid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the appointment booking system database. The vulnerability has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.

Technical ContextAI

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as a classic SQL injection flaw. The affected component is the /get_town.php file in code-projects Online Appointment Booking System 1.0 (CPE identifier: cpe:2.3:a:code-projects:online_appointment_booking_system:1.0:*:*:*:*:*:*:*). The root cause is the failure to properly validate, sanitize, or parameterize user input (specifically the 'countryid' parameter) before incorporating it into SQL query construction. The application likely concatenates user input directly into SQL statements without using prepared statements or parameterized queries, allowing attackers to inject malicious SQL syntax.

RemediationAI

{'type': 'Primary Remediation', 'action': "Apply security patch or upgrade to a patched version of code-projects Online Appointment Booking System if available from the vendor. Check the vendor's official advisory and security portal for available patches.", 'priority': 'CRITICAL'} {'type': 'Code-Level Mitigation', 'action': 'Implement parameterized queries (prepared statements) for all database interactions in /get_town.php. Replace direct string concatenation with parameter binding to ensure user input cannot alter SQL query structure. Example: Use prepared statements with placeholders (?) instead of concatenating the countryid parameter directly into the SQL query.', 'priority': 'CRITICAL'} {'type': 'Input Validation', 'action': "Implement strict input validation on the 'countryid' parameter. Validate that the input is a valid integer and matches expected country ID values from a whitelist. Reject any input that does not conform to expected format.", 'priority': 'HIGH'} {'type': 'Web Application Firewall', 'action': 'Deploy or configure a Web Application Firewall (WAF) with SQL injection detection and prevention rules to block malicious SQL payloads targeting /get_town.php before they reach the application.', 'priority': 'MEDIUM'} {'type': 'Database Permissions', 'action': 'Apply principle of least privilege to database credentials used by the application. Restrict the database user account to only the minimum permissions required for appointment booking operations.', 'priority': 'MEDIUM'} {'type': 'Monitoring', 'action': 'Implement database query monitoring and anomaly detection to identify potential SQL injection attempts or suspicious database activity. Monitor logs for unusual query patterns.', 'priority': 'MEDIUM'}

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-7541 vulnerability details – vuln.today

Back

PHP CVE-2025-7541

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code