EUVD-2025-18784

| CVE-2025-6361 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18784
PoC Detected
Jun 26, 2025 - 15:33 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 20:15 nvd
HIGH 7.3

Tags

PHP SQLi Simple Pizza Ordering System

Description

A vulnerability classified as critical was found in code-projects Simple Pizza Ordering System 1.0. This vulnerability affects unknown code of the file /adds.php. The manipulation of the argument userid leads to sql injection. The attack can be initiated remotely.

Analysis

CVE-2025-6361 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /adds.php file's userid parameter. An unauthenticated remote attacker can exploit this vulnerability without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the application database. The vulnerability has a CVSS score of 7.3 (High) and represents an immediate risk to any organization running this unpatched system in production.

Technical Context

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output ('Injection')) occurring in PHP application code. The /adds.php endpoint fails to properly sanitize or parameterize the 'userid' parameter before incorporating it into SQL queries, allowing attackers to inject malicious SQL syntax. This is a fundamental input validation failure common in legacy PHP applications that predate modern prepared statement adoption. The affected product is code-projects Simple Pizza Ordering System 1.0, a lightweight PHP-based ordering platform. The vulnerability stems from direct string concatenation of user input into SQL query construction without escaping, type casting, or prepared statement usage.

Affected Products

- vendor: code-projects; product: Simple Pizza Ordering System; affected_version: 1.0; affected_component: /adds.php; vulnerable_parameter: userid; cpe: cpe:2.3:a:code-projects:simple_pizza_ordering_system:1.0:*:*:*:*:*:*:*

Remediation

Immediate Actions: (1) Disable or remove the /adds.php endpoint if not actively required for operations; (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in userid parameter; (3) Apply input validation to reject non-numeric userid values if integer expected. Long-term Fixes: (1) Upgrade to the latest patched version of Simple Pizza Ordering System (version/patch availability not specified in references—contact code-projects vendor directly); (2) If no patch is available, refactor /adds.php to use prepared statements/parameterized queries with bound parameters instead of string concatenation; (3) Implement principle of least privilege for database connection credentials; (4) Enable SQL error suppression to prevent information disclosure; (5) Deploy database activity monitoring to detect exploitation attempts. Vendor Advisory: Contact code-projects for security patch availability at their official support channels. No official CVE patch reference provided—escalate to vendor for timeline.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-18784 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy