How to fix EUVD-2025-28728?

Within 24 hours: Inventory all systems running Simple Pizza Ordering System 1.0 and isolate them from production networks if possible; review database access logs for suspicious activity. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns targeting /portal.php ID parameter; implement input validation and parameterized queries if code modifications are feasible. Within 30 days: Evaluate replacement solutions or contact vendor for patched version timeline; conduct full security assessment of affected systems; restore from clean backups if compromise is confirmed.

Is PHP affected by EUVD-2025-28728?

A high-severity SQL injection vulnerability in Simple Pizza Ordering System 1.0 allows remote attackers to potentially access, modify, or delete sensitive database information without authentication.

EUVD-2025-28728

| CVE-2025-6360 HIGH

2025-06-20 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-28728

PoC Detected

Jun 26, 2025 - 15:35 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 19:15 nvd

HIGH 7.3

Description

A vulnerability classified as critical has been found in code-projects Simple Pizza Ordering System 1.0. This affects an unknown part of the file /portal.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6360 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /portal.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical Context

This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in a PHP-based web application. The /portal.php endpoint accepts an ID parameter that is directly incorporated into SQL queries without proper input validation or parameterized query preparation. CWE-74 encompasses SQL injection and similar injection attacks where user-controlled input flows unsanitized into command contexts. The vulnerability likely exists in database query construction using string concatenation rather than prepared statements with parameter binding. Affected product: code-projects Simple Pizza Ordering System 1.0 (CPE context suggests a legacy/open-source project management application).

Affected Products

- product: code-projects Simple Pizza Ordering System; versions: 1.0; affected_component: /portal.php (ID parameter); vendor: code-projects; cpe: cpe:2.3:a:code-projects:simple_pizza_ordering_system:1.0:*:*:*:*:*:*:*; status: Unpatched (as of CVE publication)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

EUVD-2025-28728 vulnerability details – vuln.today

Back

EUVD-2025-28728

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-28728

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code