Simple Food Ordering System
CVE-2025-11600
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in code-projects Simple Food Ordering System 1.0. Affected is an unknown function of the file editcategory.php. Such manipulation of the argument cname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the cname parameter in editcategory.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates minimal real-world exploitation probability despite remote network accessibility and low attack complexity.
Technical ContextAI
Simple Food Ordering System 1.0 is a PHP-based web application for food ordering management. The vulnerability exists in editcategory.php, where user-supplied input to the cname parameter is directly incorporated into SQL queries without proper parameterization or input validation. This is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), a parent category encompassing SQL injection flaws. The attack vector is network-based, and the CVSS vector shows authentication is required (PR:L), limiting the attack surface to users with legitimate access to the application. The scope of impact is limited to confidentiality and integrity of data (VC:L/VI:L) with no availability impact (VA:L/SA:N).
RemediationAI
The primary remediation is to upgrade to a patched version of Simple Food Ordering System if available from the vendor at code-projects.org; however, no specific patched version has been identified in available data. As an interim control, implement parameterized queries (prepared statements) in editcategory.php to neutralize the SQL injection in the cname parameter - this requires code modification. If immediate patching is not feasible, restrict access to editcategory.php to trusted administrator accounts only, enforce strong authentication and IP whitelisting, and implement Web Application Firewall (WAF) rules to block SQL injection payloads (e.g., blocking common SQLi keywords in the cname parameter). Database-level mitigations include running the application's database user with minimal required privileges (read-only access where appropriate, no DDL permissions) to limit the impact of successful injection. Input validation on the cname parameter (whitelist alphanumeric characters and safe punctuation) provides defense-in-depth but should not replace parameterized queries.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today