Skip to main content

Food Ordering System CVE-2025-12315

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-27 cna@vuldb.com
PHP SQLi Food Ordering System
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:33 vuln.today

DescriptionCVE.org

A vulnerability was determined in code-projects Food Ordering System 1.0. This affects an unknown function of the file /admin/menu.php. Executing a manipulation of the argument itemPrice can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

SQL injection in code-projects Food Ordering System 1.0 allows high-privileged remote attackers to manipulate the itemPrice parameter in /admin/menu.php, leading to limited data exposure and modification. The vulnerability requires administrative authentication and has publicly available exploit code, but carries low real-world exploitation risk due to administrative privilege requirement and minimal technical impact (CVSS 2.0, EPSS 0.03%).

Technical ContextAI

The vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The /admin/menu.php endpoint fails to properly sanitize or parameterize the itemPrice input parameter before incorporating it into SQL queries. This allows attackers with administrative credentials to inject arbitrary SQL commands. The Food Ordering System is a lightweight e-commerce application framework built in PHP, commonly used for small restaurant or food delivery platforms.

RemediationAI

Immediate upgrade to a patched version is recommended, though no specific patched version number is documented in available references-contact code-projects directly at https://code-projects.org/ for availability of version 1.1 or later. If upgrade is not immediately feasible, implement input validation and parameterized queries (prepared statements) in the /admin/menu.php itemPrice handler to prevent SQL injection. Additionally, restrict administrative panel access to trusted IP addresses and enforce multi-factor authentication on admin accounts to reduce the window for exploiting compromised credentials. Monitor database query logs for suspicious SQL patterns in admin operations. These controls mitigate the vulnerability without downtime but do not eliminate it; patching remains the definitive solution.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-12315 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy