CVE-2025-12378 identifies a security vulnerability in the Simple Food Ordering System version 1.0 developed by code-projects. The flaw exists in the /addproduct.php script, specifically in the handling of the 'photo' parameter, which allows unrestricted file uploads. This means an attacker can remotely upload arbitrary files, including potentially malicious scripts, without any authentication or user interaction. The vulnerability arises from insufficient validation or sanitization of the uploaded file, enabling attackers to bypass restrictions that normally prevent unauthorized file types or sizes. Exploiting this vulnerability could allow attackers to execute arbitrary code on the server, leading to full system compromise, data theft, or disruption of service. The CVSS 4.0 base score of 6.9 reflects a medium severity, with network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public release of exploit code increases the likelihood of attacks. The vulnerability affects only version 1.0 of the product, and no official patches have been linked yet, indicating a need for immediate mitigation by users.

For European organizations using the Simple Food Ordering System 1.0, this vulnerability poses a significant risk. The ability to upload arbitrary files remotely can lead to unauthorized code execution, enabling attackers to compromise sensitive customer data, including payment information and personal details. This can result in data breaches, reputational damage, and regulatory penalties under GDPR. Additionally, attackers could disrupt ordering services, causing operational downtime and financial losses. The hospitality and food service sectors, which often rely on such ordering systems, could be particularly impacted. The medium severity rating suggests that while the vulnerability is serious, exploitation requires some technical capability but no authentication or user interaction, making it accessible to a broad range of attackers. The public availability of exploit code further increases the threat landscape, emphasizing the urgency for mitigation.

European organizations should immediately implement strict server-side validation of all uploaded files, restricting allowed file types to safe image formats and verifying file contents beyond extensions. Employing file integrity checks and scanning uploads with antivirus solutions can help detect malicious payloads. Configuring the web server to prevent execution of uploaded files, such as placing uploads outside the web root or disabling script execution in upload directories, is critical. Monitoring logs for unusual upload activity and implementing rate limiting can reduce attack surface. Organizations should also seek vendor updates or patches and apply them promptly once available. If patching is delayed, consider temporary mitigations such as disabling the upload functionality or restricting access to the /addproduct.php endpoint via IP whitelisting or authentication. Regular security audits and penetration testing focused on file upload mechanisms will help identify residual risks.