Simple Food Ordering System
CVE-2025-11603
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Simple Food Ordering System 1.0. This vulnerability affects unknown code of the file /editproduct.php. The manipulation of the argument Category results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /editproduct.php, with publicly available exploit code demonstrating the vulnerability. Despite a low CVSS score of 2.1, the vulnerability requires valid credentials and produces limited confidentiality impact, explaining the minimal EPSS exploitation probability of 0.03%.
Technical ContextAI
The vulnerability exists in the /editproduct.php endpoint of a PHP-based food ordering application. The Category parameter is passed to a SQL query without proper input validation or parameterized query mechanisms, allowing SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output). The affected product is identified via CPE as fabian/simple_food_ordering_system version 1.0. This is a classic case of unsafe string concatenation in SQL query construction, common in legacy PHP applications that predate widespread adoption of prepared statements.
RemediationAI
Upgrade to a patched version if available from the vendor at https://code-projects.org/, though no specific patch version is documented in available advisories. If upgrading is not immediately possible, implement parameterized queries (prepared statements) in the /editproduct.php file, specifically for all SQL operations involving the Category parameter. Additionally, enforce input validation on the Category parameter using allowlist validation (e.g., only permit alphanumeric characters and hyphens if the application logic permits). Apply principle of least privilege to the database user account used by the PHP application to limit the scope of SQL injection damage-restrict the account to SELECT permissions only if product functionality allows. Restrict network access to /editproduct.php to trusted administrative IP ranges via web application firewall or reverse proxy rules, which will reduce the attack surface without requiring code changes.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today