CVE-2025-50383: 
PHP vulnerability analysis and mitigation

Easy!Appointments version 1.5.1 contains a SQL injection vulnerability identified as CVE-2025-50383. The vulnerability was discovered in the application's search functionality where the order_by parameter can be manipulated to perform SQL injection attacks. The issue affects multiple endpoints in the application and was fixed in version 1.5.2 (GitHub Repository, Easy!Appointments).

The vulnerability exists in multiple search endpoints of Easy!Appointments where the orderby parameter is not properly sanitized. The affected endpoints include /index.php/customers/search, /index.php/Unavailabilities/search, and /index.php/Appointments/search for low-privileged users, as well as several administrator-only endpoints such as /index.php/providers/search and /index.php/secretaries/search. The vulnerability can be exploited through time-based blind SQL injection techniques by injecting payloads like 'IF(1=1,SLEEP(5),1)' into the orderby parameter (GitHub Repository).

The SQL injection vulnerability allows authenticated users, including those with low-privilege roles such as Customers and Providers, to execute unauthorized SQL commands on the underlying MySQL database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or other malicious activities (GitHub Repository).

The vulnerability has been fixed in Easy!Appointments version 1.5.2. Users are advised to upgrade to this latest version to protect against this security issue (Easy!Appointments).