CVE-2025-11604 identifies a SQL injection vulnerability in version 1.0 of the projectworlds Online Ordering Food System, specifically in the /all-orders.php endpoint. The vulnerability arises from improper sanitization of the 'Status' parameter, which is directly used in SQL queries. This allows remote attackers to inject arbitrary SQL commands without requiring authentication or user interaction, enabling them to manipulate database queries. Potential consequences include unauthorized data disclosure, data modification, or deletion, and possibly denial of service if database integrity is compromised. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no active exploits have been reported, public disclosure of exploit code increases the likelihood of attacks. The vulnerability affects only version 1.0 of the product, and no official patches have been linked yet. The Online Ordering Food System is typically deployed by restaurants and food service providers, making customer data and order processing systems potential targets. The lack of authentication requirements and ease of exploitation make this vulnerability a significant risk for organizations relying on this software for online order management.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive customer data, including personal and payment information, resulting in privacy breaches and regulatory non-compliance under GDPR. Data integrity could be compromised, leading to incorrect order processing or fraudulent transactions, damaging business reputation and customer trust. Availability of the ordering system could be disrupted, causing operational downtime and financial losses, especially for businesses heavily dependent on online orders. The public disclosure of exploit code increases the risk of automated attacks targeting vulnerable installations. Organizations in the food service sector, especially those using projectworlds Online Ordering Food System version 1.0, face increased exposure. Additionally, compromised systems could be leveraged as pivot points for further network intrusion or data exfiltration. The medium severity rating suggests a moderate but tangible risk that requires timely remediation to prevent escalation.

Organizations should immediately audit their use of projectworlds Online Ordering Food System to identify any installations of version 1.0. Since no official patch is currently linked, implement input validation and sanitization on the 'Status' parameter to prevent SQL injection. Employ parameterized queries or prepared statements in the application code to eliminate direct concatenation of user input into SQL commands. Restrict access to the /all-orders.php endpoint through network segmentation, firewalls, or web application firewalls (WAF) with SQL injection detection rules. Monitor logs for unusual query patterns or repeated requests targeting the 'Status' parameter. If possible, isolate the database server and enforce least privilege principles for database accounts used by the application. Consider deploying runtime application self-protection (RASP) tools to detect and block injection attempts. Plan for an upgrade or patch deployment once the vendor releases a fix. Educate development and operations teams about secure coding practices to prevent similar vulnerabilities in the future.