CVE-2025-11613 identifies a SQL injection vulnerability in the Simple Food Ordering System version 1.0 developed by code-projects. The vulnerability resides in the /addcategory.php script, where the cname parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection flaw enables remote attackers to manipulate backend SQL queries, potentially extracting sensitive data, modifying database contents, or disrupting service availability. The vulnerability does not require authentication or user interaction, increasing its exploitability. The CVSS 4.0 base score is 5.3 (medium), reflecting the attack vector as network-based with low attack complexity and no privileges or user interaction needed, but with limited impact on confidentiality, integrity, and availability. Although no active exploits have been reported in the wild, a public exploit is available, which could facilitate attacks by less skilled adversaries. The affected product is typically used in food ordering and hospitality environments, where database integrity and confidentiality are critical. The lack of official patches necessitates immediate mitigation through secure coding practices such as parameterized queries and input validation to prevent exploitation.

For European organizations, especially those in the hospitality and food service sectors using the Simple Food Ordering System, this vulnerability poses a risk of unauthorized data disclosure, data tampering, and potential service disruption. Compromise of the ordering system database could lead to leakage of customer information, order details, and business-sensitive data, undermining customer trust and regulatory compliance (e.g., GDPR). Additionally, attackers could alter menu categories or order data, impacting business operations and revenue. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, particularly targeting smaller businesses with limited cybersecurity resources. The medium severity indicates moderate risk, but the availability of a public exploit elevates the urgency for mitigation to prevent exploitation that could cascade into broader network compromise or reputational damage.

1. Immediately review and update the /addcategory.php script to implement parameterized queries or prepared statements, eliminating direct concatenation of user input into SQL commands. 2. Apply strict input validation and sanitization on the cname parameter to ensure only expected data formats are accepted. 3. Conduct a comprehensive code audit of the entire application to identify and remediate similar injection points. 4. If possible, isolate the ordering system within a segmented network zone to limit exposure. 5. Monitor logs for unusual database query patterns or repeated attempts to exploit the cname parameter. 6. Engage with the vendor or community to obtain or develop official patches or updates. 7. Educate staff on the risks of SQL injection and ensure secure development lifecycle practices are followed for future updates. 8. Implement web application firewalls (WAFs) with rules targeting SQL injection attempts as an additional protective layer.