How to fix CVE-2025-6359?

Within 24 hours: Inventory all systems running Simple Pizza Ordering System 1.0 and isolate affected instances from production if operationally feasible; enable enhanced logging on database access. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in the transactioncode parameter of /cashconfirm.php; consider disabling the payment confirmation feature if business operations allow. Within 30 days: Plan migration to patched version or alternative vendor solution; conduct forensic audit of database access logs for signs of exploitation.

Is PHP affected by CVE-2025-6359?

A publicly disclosed SQL injection vulnerability in Simple Pizza Ordering System 1.0 allows unauthenticated remote attackers to compromise database integrity and extract sensitive customer data.

CVE-2025-6359

EUVD-2025-18783 HIGH

2025-06-20 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18783

PoC Detected

Jun 26, 2025 - 12:59 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 19:15 nvd

HIGH 7.3

Description

A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /cashconfirm.php. The manipulation of the argument transactioncode leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6359 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /cashconfirm.php file where the 'transactioncode' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical Context

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically SQL injection. The /cashconfirm.php endpoint fails to properly sanitize or parameterize the 'transactioncode' user input before incorporating it into SQL queries. The affected product is code-projects Simple Pizza Ordering System 1.0, a PHP-based web application (CPE: cpe:2.3:a:code-projects:simple_pizza_ordering_system:1.0:*:*:*:*:*:*:*). The root cause is insufficient input validation and lack of prepared statements or parameterized queries, allowing attackers to inject SQL metacharacters and manipulate query logic.

Affected Products

Simple Pizza Ordering System (['1.0'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

CVE-2025-6359 vulnerability details – vuln.today

Back

CVE-2025-6359

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-6359

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code