CVE-2025-11604 identifies a SQL injection vulnerability in version 1.0 of the projectworlds Online Ordering Food System, specifically within the /all-orders.php endpoint. The vulnerability arises from improper sanitization and validation of the 'Status' parameter, which is used in SQL queries without adequate protection. This allows remote attackers to inject malicious SQL code, potentially enabling unauthorized data access, data modification, or disruption of database operations. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The lack of an official patch or mitigation guidance from the vendor necessitates immediate defensive measures by users of this software. The vulnerability primarily threatens the backend database integrity and confidentiality, potentially exposing sensitive customer order data or allowing attackers to manipulate order statuses, which could disrupt business operations and customer trust.

For European organizations utilizing the projectworlds Online Ordering Food System, this vulnerability poses significant risks including unauthorized access to customer data, manipulation of order information, and potential disruption of food ordering services. Such impacts could lead to financial losses, reputational damage, and regulatory penalties under GDPR due to data breaches. The ability to remotely exploit the vulnerability without authentication increases the attack surface, especially for organizations with externally accessible ordering platforms. The partial compromise of confidentiality and integrity could expose personally identifiable information (PII) and order details, while availability impacts could disrupt service continuity. Given the critical role of online ordering systems in the food service industry, exploitation could also affect supply chain operations and customer satisfaction. Organizations in countries with large food delivery markets and high adoption of this software are at greater risk, potentially impacting a broad range of SMEs and larger enterprises in the hospitality sector.

Since no official patches are currently available, European organizations should immediately implement input validation and sanitization on the 'Status' parameter within /all-orders.php to prevent SQL injection. Employing parameterized queries or prepared statements in the database access layer is critical to mitigate injection risks. Network-level protections such as Web Application Firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting this endpoint. Organizations should conduct thorough code reviews and penetration testing focused on SQL injection vectors. Restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Monitoring logs for suspicious query patterns and anomalous database activity can provide early detection of exploitation attempts. Additionally, organizations should consider isolating the vulnerable system from public networks or limiting access via VPN or IP whitelisting until a vendor patch is released. Finally, maintaining regular backups of databases ensures recovery capability in case of data corruption or loss.