Simple Food Ordering System
CVE-2025-12298
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Simple Food Ordering System 1.0. This affects an unknown part of the file /editcategory.php. The manipulation of the argument pname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
AnalysisAI
Reflected cross-site scripting (XSS) in Simple Food Ordering System 1.0 via the pname parameter in /editcategory.php allows remote attackers to inject malicious JavaScript that executes in users' browsers with minimal user interaction. The vulnerability requires user interaction (clicking a malicious link) but has low technical complexity and publicly available exploit code, though active exploitation remains unconfirmed and real-world impact is limited by the low EPSS score of 0.03% despite public POC availability.
Technical ContextAI
Simple Food Ordering System is a PHP-based web application for food ordering. The vulnerability exists in the /editcategory.php file where user-supplied input from the pname parameter is not properly sanitized or HTML-encoded before being reflected in HTTP responses. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where an attacker crafts a malicious URL containing JavaScript code in the pname parameter, and when a victim visits that URL, the unvalidated input is executed in their browser context. The attack vector is network-based with low attack complexity and no privilege requirements, meaning any remote user can craft the malicious payload.
RemediationAI
The primary remediation is to upgrade to a patched version once released by the vendor, or apply immediate input validation and output encoding to the /editcategory.php file. Specifically, all user-supplied input to the pname parameter must be HTML-encoded (e.g., converting <, >, ", &, and ' to HTML entities) or validated against a whitelist of acceptable characters before being included in HTML responses. If vendor patches are unavailable, implement a Content Security Policy (CSP) header set to restrict inline script execution (e.g., Content-Security-Policy: script-src 'self'), which will prevent injected scripts from executing even if reflected in the page. Additionally, configure Web Application Firewalls (WAF) to detect and block common XSS payloads in HTTP requests to /editcategory.php. Note that CSP and WAF mitigations do not eliminate the underlying vulnerability but reduce practical exploitation impact; the primary fix remains vendor patching or code-level input encoding.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today