Simple Food Ordering System
CVE-2025-12299
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in code-projects Simple Food Ordering System 1.0. This vulnerability affects unknown code of the file /addproduct.php. The manipulation of the argument pname/category/price results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
AnalysisAI
Stored cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts through the pname, category, or price parameters in /addproduct.php, requiring user interaction to trigger payload execution. Public exploit code is available, and the vulnerability carries low severity (CVSS 2.1) due to the requirement for user interaction and limited scope of impact.
Technical ContextAI
Simple Food Ordering System is a PHP-based web application for managing food orders. The vulnerability exists in the /addproduct.php file, which handles product creation. The parameters pname (product name), category, and price are passed to the application without proper output encoding or input sanitization, allowing attackers to inject arbitrary HTML and JavaScript code. This is a classic reflected or stored XSS vulnerability (CWE-79: Cross-site Scripting) where user-controlled input reaches the browser without escaping special characters like angle brackets or quotes. The attack vector is network-based with low complexity, and exploitation requires user interaction (UI:P in CVSS 4.0 vector).
RemediationAI
No vendor-released patch identified at time of analysis. Immediate workarounds include: (1) Apply output encoding to all product-related parameters (pname, category, price) using htmlspecialchars() or equivalent HTML entity encoding before rendering in responses; (2) Implement Content-Security-Policy (CSP) headers with script-src restrictions to limit inline script execution; (3) Validate input on the server side to reject or sanitize special characters in pname, category, and price fields; (4) Restrict access to /addproduct.php to authenticated administrators only via authentication checks or IP whitelisting to reduce exposure surface. Given the low adoption and open-source nature, contact the project maintainer (Fabian) via code-projects.org to request a patched version. Until patched, organizations should prioritize this as a medium-effort remediation due to the low CVSS but non-zero real-world risk in internet-facing deployments.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today