CVE-2025-10400 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the SourceCodester Food Ordering Management System. The vulnerability exists in the /routers/ticket-message.php file, specifically related to the handling of the 'ticket_id' parameter. Improper sanitization or validation of this parameter allows an attacker to inject malicious SQL code remotely, without requiring authentication or user interaction. This can lead to unauthorized access or manipulation of the backend database, potentially exposing sensitive customer data, order details, or administrative information. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS 4.0 score of 5.3 reflects a moderate risk, considering the attack vector is network-based with low complexity and no privileges or user interaction needed, but with limited impact on confidentiality, integrity, and availability. The vulnerability affects only version 1.0 of the product, which is a niche food ordering management system, typically deployed by small to medium-sized restaurants or food service providers.

For European organizations, particularly those in the hospitality and food service sectors using SourceCodester Food Ordering Management System 1.0, this vulnerability poses a risk of unauthorized database access. Exploitation could lead to leakage of customer personal data, order histories, and potentially payment information if stored insecurely. This compromises customer privacy and may violate GDPR regulations, leading to legal and financial penalties. Additionally, attackers could manipulate order data, disrupt service availability, or escalate attacks within the network. The impact is more pronounced for organizations relying heavily on this system for online ordering and customer interaction, as disruption or data breach could damage reputation and operational continuity. However, the limited market penetration of this specific system in Europe and the absence of known active exploits somewhat reduce the immediate threat level.

Organizations using SourceCodester Food Ordering Management System 1.0 should prioritize upgrading to a patched version once available or apply custom patches to sanitize and validate the 'ticket_id' parameter rigorously. In the interim, implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting ticket_id parameters can reduce risk. Regularly auditing and monitoring database queries and logs for anomalous activities is recommended. Restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Additionally, isolating the food ordering system within a segmented network zone reduces lateral movement potential. Organizations should also review their data retention and encryption policies to minimize sensitive data exposure in case of compromise.