Simple Food Ordering System
CVE-2025-11613
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Simple Food Ordering System 1.0. Affected is an unknown function of the file /addcategory.php. The manipulation of the argument cname results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the cname parameter in /addcategory.php, compromising data confidentiality and integrity. The vulnerability has publicly available exploit code and is confirmed to have limited scope impact (affecting only data confidentiality, integrity, and availability of specific queries); however, EPSS score of 0.03% (8th percentile) suggests minimal real-world exploitation likelihood despite public availability of proof-of-concept code.
Technical ContextAI
The vulnerability exists in PHP-based web application code at the /addcategory.php endpoint. The parameter cname is insufficiently sanitized before incorporation into SQL queries, enabling classic SQL injection attacks. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the root cause is failure to properly escape or parameterize user input before passing it to the SQL query engine. Attackers with valid authentication credentials can craft malicious SQL syntax within the cname parameter to modify query logic, extract data, or potentially modify database contents depending on database permissions and SQL dialect.
RemediationAI
Upgrade to a patched version if available from code-projects.org or the project repository. The primary remediation is to implement parameterized queries (prepared statements) in /addcategory.php for the cname parameter: replace all string concatenation of user input into SQL with prepared statement placeholders (? in PHP mysqli or named parameters in PDO). Additionally, validate the cname input against a whitelist of allowed characters and enforce maximum length restrictions before any database operation. If immediate patching is not feasible, apply temporary mitigations: restrict access to /addcategory.php to trusted administrator IP ranges via web application firewall or network access control, or implement Web Application Firewall (WAF) rules to detect and block common SQL injection payloads in the cname parameter (though this is defense-in-depth only, not a complete fix). These mitigations trade operational convenience for reduced risk and should be replaced with code-level fixes within 30 days.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today