CVE-2025-14652 identifies a SQL injection vulnerability in the itsourcecode Online Cake Ordering System version 1.0, specifically affecting the /admindetail.php script when accessed with the action=edit parameter. The vulnerability arises from improper sanitization of the 'ID' parameter, allowing an attacker to inject malicious SQL code remotely without authentication or user interaction. This can lead to unauthorized reading, modification, or deletion of database records, potentially compromising sensitive customer data or administrative information. The vulnerability has a CVSS 4.0 score of 6.9, reflecting medium severity due to its network attack vector, no required privileges, and no user interaction, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public availability of exploit code increases the likelihood of future attacks. The affected product is a niche online ordering system, which may be used by small to medium-sized businesses in the food delivery sector. The lack of patches or vendor advisories necessitates proactive mitigation by users. The vulnerability highlights the critical need for secure coding practices such as input validation and use of prepared statements to prevent injection attacks.

For European organizations using the itsourcecode Online Cake Ordering System 1.0, this vulnerability could lead to unauthorized access to customer and business data, including order details and administrative credentials. This may result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and potential financial losses. The ability to modify or delete database records could disrupt business operations, causing service outages or incorrect order processing. Given the remote and unauthenticated nature of the exploit, attackers can easily target vulnerable systems exposed to the internet. European SMEs in the food delivery and e-commerce sectors, which often rely on third-party or open-source ordering platforms, are particularly at risk. The medium severity indicates a moderate but tangible threat that could escalate if combined with other vulnerabilities or social engineering attacks.

1. Immediately implement input validation and sanitization on the 'ID' parameter in /admindetail.php to reject or properly encode malicious input. 2. Refactor database queries to use parameterized statements or prepared queries to eliminate direct SQL injection vectors. 3. Restrict access to administrative endpoints by IP whitelisting or VPN access to reduce exposure. 4. Monitor database logs for unusual queries or access patterns indicative of injection attempts. 5. Conduct a comprehensive security audit of the entire application to identify and remediate similar injection flaws. 6. If possible, upgrade to a newer, patched version of the software or apply vendor-provided patches once available. 7. Educate development teams on secure coding practices to prevent recurrence. 8. Implement web application firewalls (WAF) with rules targeting SQL injection signatures as an additional protective layer.