CVE-2025-12299 identifies a cross-site scripting vulnerability in the Simple Food Ordering System version 1.0 developed by code-projects. The vulnerability resides in the /addproduct.php script, where user-supplied inputs—specifically the parameters pname, category, and price—are not properly sanitized or encoded before being reflected in the web page output. This lack of input validation allows an attacker to inject malicious JavaScript code remotely, which executes in the context of the victim's browser when they interact with the affected page. The vulnerability does not require any authentication or privileges, making it accessible to unauthenticated remote attackers. However, user interaction is necessary to trigger the malicious script, typically by visiting a crafted URL or interacting with manipulated input fields. The CVSS 4.0 base score of 5.3 reflects a medium severity, with attack vector being network-based, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Availability is not impacted. Although no active exploitation has been reported, the public release of an exploit increases the likelihood of attacks. The vulnerability is particularly relevant for organizations using this specific food ordering system, which may be deployed in small to medium-sized restaurants or food service providers. The absence of official patches or updates necessitates immediate mitigation efforts by administrators.

For European organizations, especially those in the hospitality and food service sectors utilizing the Simple Food Ordering System 1.0, this vulnerability poses a tangible risk of client-side attacks. Successful exploitation can lead to theft of user credentials, session hijacking, and unauthorized actions performed under the guise of legitimate users, potentially resulting in data breaches or fraudulent transactions. The reputational damage from compromised customer data or defaced ordering platforms can be significant. Additionally, attackers could use the vulnerability as a foothold to conduct further attacks within the network if users with elevated privileges are targeted. Given the remote exploitation capability and no requirement for authentication, the attack surface is broad. However, the need for user interaction somewhat limits automated mass exploitation. The medium severity indicates that while the threat is serious, it is not immediately critical, allowing organizations some time to implement mitigations. Nonetheless, failure to address this vulnerability could lead to regulatory compliance issues under GDPR if personal data is compromised.

To mitigate CVE-2025-12299, organizations should implement strict input validation and output encoding on all user-supplied data, particularly for the pname, category, and price parameters in /addproduct.php. Employing context-aware encoding (e.g., HTML entity encoding) prevents malicious scripts from executing. If source code modification is possible, developers should sanitize inputs using established libraries or frameworks that automatically handle XSS protection. In the absence of official patches, deploying a Web Application Firewall (WAF) configured to detect and block common XSS payloads can provide an effective interim defense. Additionally, security teams should conduct regular security assessments and penetration tests focusing on web application vulnerabilities. User education to recognize suspicious links and avoid clicking untrusted URLs can reduce the risk of triggering the exploit. Monitoring web server logs for unusual requests targeting the vulnerable parameters can help detect attempted exploitation. Finally, organizations should engage with the vendor or community to obtain or develop patches and plan for timely updates.