Simple Food Ordering System
CVE-2025-12300
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Simple Food Ordering System 1.0. This issue affects some unknown processing of the file /addcategory.php. This manipulation of the argument cname causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
Stored cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts via the cname parameter in /addcategory.php, which are executed in the browsers of users viewing affected content. The vulnerability requires user interaction (UI:P) to exploit but has a public proof-of-concept available. Despite the low CVSS score (2.1) and minimal EPSS percentile (10%), the combination of remote network access and public exploit code necessitates prompt patching to prevent account compromise and session hijacking.
Technical ContextAI
The vulnerability resides in a PHP-based web application (Simple Food Ordering System by Fabian) that fails to properly sanitize user input in the /addcategory.php endpoint. The cname (category name) parameter is processed without adequate output encoding or input validation, allowing attackers to inject arbitrary JavaScript code. This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where untrusted input is echoed directly into HTML responses or stored in a database without escaping HTML entities or applying Content Security Policy headers. The attack vector is network-based (AV:N), requires no special privileges (PR:N), and relies on low complexity (AC:L), making it easily reproducible with standard HTTP requests.
RemediationAI
Upgrade to a patched version of Simple Food Ordering System released by the vendor following disclosure of CVE-2025-12300. If an immediate patch is unavailable, implement input validation on the cname parameter to reject or strip HTML/JavaScript metacharacters (< > " ' &), and ensure all output to HTML is HTML-entity-encoded. Deploy a Content Security Policy (CSP) header set to 'default-src self; script-src self' to block inline script execution as a defense-in-depth measure (trade-off: may break legitimate inline scripts in the application, requiring code refactoring). Additionally, sanitize all user inputs on the server side using a library such as HTML Purifier for PHP before storing or rendering category names. Monitor the code-projects.org repository and CVE feeds for patch availability. If the vendor is unresponsive, consider replacing the application with a maintained alternative.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today