Simple Food Ordering System
CVE-2025-12302
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in code-projects Simple Food Ordering System 1.0. The affected element is an unknown function of the file /editproduct.php. Performing manipulation of the argument pname/category/price results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used.
AnalysisAI
Cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts via unsanitized input parameters (pname, category, price) in the /editproduct.php endpoint. The vulnerability requires user interaction (UI:P) but carries low integrity impact and has publicly available exploit code; EPSS probability remains minimal (0.03%) despite public POC availability, suggesting limited real-world adoption or exploitation barriers.
Technical ContextAI
The vulnerability stems from improper input validation in a PHP-based food ordering application. The /editproduct.php file fails to sanitize user-supplied input for the product name, category, and price parameters before reflecting them in responses, creating a classic reflected XSS condition (CWE-79: Improper Neutralization of Input During Web Page Generation). The attack vector is network-based and unauthenticated (AV:N/PR:N), meaning an attacker can craft malicious URLs and deliver them to users without authentication. However, exploitation requires user interaction (UI:P), limiting the attack surface to scenarios where an application user or administrator visits a malicious link containing injected script payloads.
RemediationAI
Immediate action: Update to a patched version of Simple Food Ordering System if available from the vendor at code-projects.org or contact the developer (cna@vuldb.com or Fabian) for patch status; no specific patched version number is confirmed in available data. If no patch is available, implement the following compensating controls: (1) Apply input validation and output encoding to all product-related parameters in /editproduct.php, sanitizing user input using a whitelist (alphanumerics and safe symbols only for product names/categories, numeric validation for prices) before storage and using HTML entity encoding (htmlspecialchars() in PHP) before display in any HTML context; (2) Implement Content Security Policy (CSP) headers (e.g., Content-Security-Policy: default-src 'self'; script-src 'self') to block inline scripts and external script execution even if XSS payload reaches the browser; (3) Restrict administrative access to /editproduct.php via IP whitelisting or VPN requirements if possible, reducing phishing attack surface. Each control trades defense depth for operational complexity - CSP may break legitimate functionality if the application uses inline scripts and requires testing before deployment.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today