CVE-2025-11613 is a SQL injection vulnerability identified in the Simple Food Ordering System version 1.0 developed by code-projects. The flaw exists in the /addcategory.php script, where the cname parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This vulnerability can be exploited remotely without requiring authentication or user interaction, making it accessible to a wide range of attackers. The injection can lead to unauthorized reading, modification, or deletion of database records, potentially compromising sensitive customer and business data. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with an attack vector of network (remote), low attack complexity, and no privileges or user interaction needed. Although no active exploitation has been reported, the public availability of exploit code increases the risk of attacks. The vulnerability affects only version 1.0 of the product, which is typically used by small to medium-sized food service businesses for managing orders and categories. The lack of patches or official fixes necessitates immediate developer intervention to implement parameterized queries or prepared statements to prevent SQL injection. Organizations should also audit their systems for signs of compromise and restrict access to vulnerable endpoints until remediation is complete.

The SQL injection vulnerability in the Simple Food Ordering System can have significant impacts on European organizations relying on this software for their food ordering operations. Exploitation could lead to unauthorized access to customer data, including personal and payment information, resulting in data breaches and regulatory non-compliance under GDPR. Attackers could alter or delete order data, disrupting business operations and causing financial losses. The integrity of the ordering system could be compromised, leading to incorrect orders or inventory mismanagement. Availability may also be affected if attackers execute destructive queries or cause database crashes. Given the remote exploitability without authentication, attackers can launch attacks from anywhere, increasing the threat surface. The medium severity score reflects moderate impact but ease of exploitation, emphasizing the need for timely mitigation. The reputational damage from a breach could be substantial, especially for businesses in competitive European markets. Additionally, the lack of patches means organizations must rely on internal fixes or mitigations, increasing operational burden.

To mitigate CVE-2025-11613, organizations should immediately review and update the /addcategory.php code to use parameterized queries or prepared statements, eliminating direct concatenation of user input into SQL commands. Input validation should be enforced to restrict cname parameter values to expected formats and lengths. Web application firewalls (WAFs) can be configured to detect and block SQL injection attempts targeting this endpoint as a temporary protective measure. Access to the vulnerable endpoint should be restricted to trusted IP addresses or internal networks where possible. Organizations should conduct thorough security audits and database integrity checks to detect any signs of compromise. Regular backups of the database should be maintained to enable recovery from potential data loss. Monitoring and logging of database queries and web server access should be enhanced to identify suspicious activity. Finally, organizations should engage with the vendor or developer community to obtain or develop official patches and update the software accordingly. Employee training on secure coding practices can prevent similar vulnerabilities in future development.