Food Ordering System
CVE-2025-12314
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Food Ordering System 1.0. The impacted element is an unknown function of the file /admin/deleteitem.php. Performing a manipulation of the argument itemID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
AnalysisAI
SQL injection in code-projects Food Ordering System 1.0 allows remote attackers with high-level administrative privileges to execute arbitrary SQL commands via the itemID parameter in /admin/deleteitem.php. Despite public exploit availability, real-world risk is minimal due to requirement for authenticated administrator access and low CVSS impact scope (CVSS 2.0, EPSS 0.03%). The vulnerability affects only the administrative interface and does not escalate privileges or compromise confidentiality at scale.
Technical ContextAI
The vulnerability exists in PHP code at /admin/deleteitem.php, where user-supplied input from the itemID parameter is insufficiently sanitized before being used in SQL query construction. This represents improper input validation (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The affected application is code-projects Food Ordering System 1.0, a web-based food ordering platform written in PHP. The SQL injection occurs in a delete operation, likely allowing manipulation of database queries through specially crafted itemID values that inject SQL syntax.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires manual code review and patching of /admin/deleteitem.php to implement parameterized queries or prepared statements for the itemID parameter. Organizations using Food Ordering System 1.0 should contact code-projects directly through https://code-projects.org/ to request a patched version. As interim compensating controls: (1) restrict /admin/ endpoint access to a whitelist of trusted IP addresses or VPN, reducing exposure of the admin interface to potential attacker reconnaissance; (2) enforce strong, multi-factor authentication for all administrator accounts to reduce likelihood of credential compromise; (3) implement Web Application Firewall (WAF) rules to block SQL injection patterns in the itemID parameter (e.g., blocking single quotes, UNION operators, comment syntax); (4) enable database query logging and monitoring for suspicious SQL patterns; (5) limit database user permissions associated with the Food Ordering System application to only INSERT, UPDATE, DELETE on necessary tables, preventing exfiltration via injected SELECT statements. Note that WAF rules may introduce false positives if itemID legitimately contains special characters - test thoroughly before production deployment.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today