CVE-2025-4489 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System. The vulnerability resides in the /routers/user-router.php file, specifically involving the manipulation of the 't1_verified' parameter. An attacker can exploit this flaw by sending crafted input to this parameter, which is not properly sanitized before being used in SQL queries. This allows the attacker to inject arbitrary SQL commands remotely without requiring authentication or user interaction. The vulnerability has been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the public disclosure means that exploit code could be developed and weaponized quickly. The vulnerability could allow attackers to extract sensitive user data, modify database contents, or disrupt service availability by manipulating backend database queries. Since the affected product is an online food ordering system, the compromise could lead to exposure of customer personal and payment information, manipulation of orders, or denial of service affecting business operations.

For European organizations using Campcodes Online Food Ordering System 1.0, this vulnerability poses significant risks. Compromise could lead to unauthorized access to customer data, including personal and payment information, violating GDPR and other data protection regulations, potentially resulting in heavy fines and reputational damage. Manipulation of order data could disrupt business operations, leading to financial losses and customer dissatisfaction. The remote, unauthenticated nature of the exploit increases the likelihood of attacks, especially as the vulnerability is publicly known. Small and medium-sized food service providers relying on this system may lack the resources to quickly detect and remediate attacks, increasing their exposure. Additionally, supply chain impacts could arise if attackers use compromised systems as footholds for broader network intrusion. The medium CVSS score suggests moderate impact, but the critical nature of customer data and service continuity in the food ordering sector amplifies the threat.

Organizations should immediately assess their use of Campcodes Online Food Ordering System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement web application firewall (WAF) rules specifically targeting SQL injection attempts on the 't1_verified' parameter to block malicious payloads. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters involved in database queries. Employ parameterized queries or prepared statements in the application code to prevent injection. Monitor logs for unusual database query patterns or errors indicative of injection attempts. Restrict database user permissions to the minimum necessary to limit the impact of a successful injection. Regularly back up databases and test restoration procedures to mitigate potential data loss. Finally, ensure compliance with GDPR by promptly reporting any data breaches resulting from exploitation.