Simple Food Ordering System
CVE-2025-11612
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in code-projects Simple Food Ordering System 1.0. This impacts an unknown function of the file /addproduct.php. The manipulation of the argument Category leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Category parameter in /addproduct.php. The vulnerability has low practical risk despite public exploit availability due to CVSS 2.1 scoring and minimal confidentiality/integrity impact, though it requires prior authentication. EPSS exploitation probability is extremely low at 0.03% percentile, suggesting limited real-world attack interest despite public POC availability.
Technical ContextAI
The vulnerability stems from improper input validation in the /addproduct.php endpoint, where the Category parameter is directly concatenated into SQL queries without parameterized statements or sanitization (CWE-74: Improper Neutralization of Special Elements used in an Output). The affected product is a lightweight PHP-based food ordering platform (cpe:2.3:a:fabian:simple_food_ordering_system:1.0:*:*:*:*:*:*:*) that fails to implement prepared statements or input filtering. This classic SQL injection vector allows an authenticated user to manipulate database queries by injecting SQL metacharacters through the Category field.
RemediationAI
No vendor-released patch identified at time of analysis. Organizations using Simple Food Ordering System 1.0 should immediately implement input validation and parameterized queries in /addproduct.php, specifically by replacing string concatenation of the Category parameter with prepared statements using parameterized placeholders. If source code modification is not feasible, implement a Web Application Firewall (WAF) rule to block requests containing SQL metacharacters (single quotes, double dashes, semicolons, UNION keywords) in the Category parameter, noting that this may block legitimate category names containing special characters. Restrict access to /addproduct.php to trusted administrative users only via IP whitelisting or role-based access controls, reducing the authentication pool from which attacks could originate. Consider upgrading to an actively maintained food ordering platform if this project is no longer receiving security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today