CVE-2025-15166 is an SQL Injection vulnerability identified in the itsourcecode Online Cake Ordering System version 1.0. The vulnerability exists in the /updatesupplier.php script when the 'action=edit' parameter is used, specifically through manipulation of the 'ID' argument. This parameter is not properly sanitized or validated, allowing an attacker to inject arbitrary SQL commands remotely without requiring authentication or user interaction. The vulnerability can be exploited by sending crafted HTTP requests to the affected endpoint, potentially enabling attackers to read, modify, or delete database records, thereby compromising the confidentiality, integrity, and availability of the system's data. The CVSS 4.0 vector indicates that the attack complexity is low, no privileges or user interaction are required, and the impact on confidentiality, integrity, and availability is low to limited. Although no known exploits are currently active in the wild, the public disclosure of exploit code increases the risk of exploitation. The affected product is a niche online ordering system, which may limit the scale of impact but still poses a significant risk to organizations relying on this software for business operations. The lack of available patches necessitates immediate mitigation efforts by users of this system.

For European organizations using the itsourcecode Online Cake Ordering System 1.0, this vulnerability could lead to unauthorized access to sensitive customer and supplier data, manipulation of order or supplier information, and potential disruption of online ordering services. The compromise of database integrity could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. Small and medium-sized enterprises (SMEs) in the food delivery and catering sectors, which may rely on this software, are particularly at risk. The ability to exploit this vulnerability remotely without authentication increases the attack surface, making it easier for cybercriminals to target affected organizations. While the overall impact is medium, the potential for data leakage or service disruption could have outsized effects on smaller businesses with limited cybersecurity resources.

Organizations should immediately audit their use of the itsourcecode Online Cake Ordering System and identify any instances of version 1.0 in use. Since no official patches are currently available, implement the following mitigations: 1) Apply strict input validation and sanitization on the 'ID' parameter in /updatesupplier.php to prevent SQL injection. 2) Refactor database queries to use parameterized statements or prepared queries to eliminate injection vectors. 3) Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoint. 5) Monitor web server and database logs for suspicious activity related to the 'action=edit' parameter. 6) Consider isolating or replacing the vulnerable system with a more secure alternative if immediate remediation is not feasible. 7) Educate development and IT teams about secure coding practices to prevent similar vulnerabilities in the future.