CVE-2025-6358

| EUVD-2025-28727 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28727
PoC Detected
Jun 26, 2025 - 13:04 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 18:15 nvd
HIGH 7.3

Tags

PHP SQLi Simple Pizza Ordering System

Description

A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /saveorder.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6358 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /saveorder.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. Public proof-of-concept code is available, increasing the immediate risk of active exploitation.

Technical Context

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The /saveorder.php endpoint fails to properly sanitize or parameterize the ID parameter before incorporating it into SQL queries, allowing attackers to inject malicious SQL syntax. This occurs in a server-side scripting context where user input flows directly into database queries without prepared statements or input validation. The affected product is a simple e-commerce ordering system written in PHP, likely using traditional procedural database interaction methods rather than secure ORM frameworks.

Affected Products

Product: code-projects Simple Pizza Ordering System; Affected Version(s): 1.0 and likely all versions prior to patching; CPE (estimated): cpe:2.4:a:code-projects:simple_pizza_ordering_system:1.0:*:*:*:*:*:*:*; File: /saveorder.php; Parameter: ID. No patch version information is provided in available data; vendor advisory and patch availability status is unknown and requires direct contact with code-projects or monitoring of their repository/website.

Remediation

Immediate actions: (1) If patch is available from code-projects, apply immediately; (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the ID parameter (e.g., regex blocking single quotes, UNION, SELECT, comment syntax); (3) Disable or restrict access to /saveorder.php via firewall/reverse proxy until patched; (4) Modify source code to use parameterized queries/prepared statements for all database interactions in saveorder.php. Long-term: Audit all other .php files for similar SQL injection vulnerabilities; migrate to a security-focused framework with built-in SQL injection protection; implement input validation and output encoding throughout the application. Contact code-projects directly for official patch status and advisory information.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6358 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy