CVE-2025-12300 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the Simple Food Ordering System developed by code-projects. The vulnerability is located in the /addcategory.php endpoint, specifically in the handling of the 'cname' parameter. This parameter is not properly sanitized or encoded before being reflected in the application’s output, allowing an attacker to inject arbitrary JavaScript code. The attack vector is remote and does not require any authentication, making it accessible to unauthenticated attackers. However, user interaction is necessary to trigger the malicious script, typically by a victim visiting a crafted URL or interacting with manipulated content. The vulnerability can be exploited to execute scripts in the context of the victim’s browser, potentially leading to session hijacking, theft of cookies, defacement of the web interface, or redirection to malicious sites. Although no active exploitation in the wild has been reported, the availability of proof-of-concept exploits increases the risk of future attacks. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of exploitation and the moderate impact on confidentiality and integrity, with no impact on availability. The vulnerability does not require privileges or authentication, increasing its risk profile. The Simple Food Ordering System is typically used by small to medium-sized food service businesses, which may lack robust security controls, increasing their exposure to such attacks.

For European organizations, especially those in the hospitality and food service sectors using the Simple Food Ordering System, this vulnerability poses a risk to the confidentiality and integrity of customer and business data. Exploitation could lead to theft of session tokens, enabling attackers to impersonate legitimate users, potentially leading to unauthorized access to order data or administrative functions. Defacement or redirection attacks could damage brand reputation and customer trust. While availability is not directly impacted, the indirect effects of compromised user trust and potential regulatory penalties under GDPR for data breaches could be significant. Small and medium enterprises (SMEs) in Europe, which often use such off-the-shelf solutions, may be particularly vulnerable due to limited security resources. The public availability of exploit code increases the likelihood of opportunistic attacks, especially in countries with high tourism and food service activity where such systems are prevalent.

1. Immediate implementation of input validation on the 'cname' parameter to allow only expected characters (e.g., alphanumeric and limited punctuation). 2. Apply proper output encoding/escaping on all user-supplied input before rendering it in HTML contexts to prevent script execution. 3. If possible, upgrade to a patched version of the Simple Food Ordering System once available; if no patch exists, consider applying custom fixes or using web application firewalls (WAFs) to detect and block malicious payloads targeting /addcategory.php. 4. Educate users and administrators about the risks of clicking on suspicious links and ensure that browsers are up to date with security features like XSS filters enabled. 5. Conduct regular security assessments and penetration testing focused on input validation and output encoding. 6. Monitor logs for unusual requests to /addcategory.php that include suspicious script payloads. 7. Consider isolating the application environment and restricting access to trusted networks where feasible to reduce exposure.