CVE-2025-13323 identifies a SQL Injection vulnerability in the Simple Pizza Ordering System version 1.0 developed by code-projects. The vulnerability resides in the /listorder.php file, where the ID parameter is improperly sanitized, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw can be exploited by manipulating the ID argument to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, data modification, or disruption of service. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the attack vector is network-based with low attack complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is limited but non-negligible, as the vulnerability allows partial compromise of these security properties. Although no known exploits are currently active in the wild, the public availability of exploit code increases the risk of exploitation. The lack of official patches or updates at the time of publication necessitates immediate mitigation efforts by users of this software. The vulnerability is significant for organizations relying on this ordering system, especially those handling sensitive customer data or payment information. The technical root cause is the absence of proper input validation and the failure to use parameterized queries or prepared statements in the affected PHP script. Remediation involves code correction to sanitize inputs and prevent SQL injection vectors.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a risk of unauthorized access to customer order data, potentially including personal and payment information. Exploitation could lead to data breaches, loss of customer trust, and regulatory non-compliance under GDPR due to exposure of personal data. Additionally, attackers might alter order data or disrupt service availability, impacting business operations and revenue. Small and medium-sized food service businesses, which often rely on such specialized ordering systems, may lack robust cybersecurity defenses, increasing their vulnerability. The public release of exploit code raises the likelihood of opportunistic attacks, including automated scanning and exploitation by cybercriminals. The impact extends beyond data loss to potential reputational damage and financial penalties. Organizations may also face operational disruptions if attackers manipulate order processing or database integrity. Given the interconnected nature of supply chains in the food industry, a successful attack could have cascading effects on partners and customers across Europe.

Immediate mitigation should focus on reviewing and updating the /listorder.php script to implement strict input validation and sanitization for the ID parameter. Developers should refactor the code to use prepared statements or parameterized queries to eliminate SQL injection vectors. In the absence of an official patch, organizations can apply web application firewalls (WAFs) with custom rules to detect and block malicious SQL injection attempts targeting the ID parameter. Monitoring and logging of web application traffic should be enhanced to detect suspicious activities. Organizations should conduct security assessments and penetration testing on their deployment of the Simple Pizza Ordering System to identify and remediate similar vulnerabilities. Backup procedures should be verified to ensure data integrity in case of compromise. Additionally, restricting database user privileges to the minimum necessary can limit the impact of a successful injection. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once released.