CVE-2025-4490 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System, specifically within the /view-ticket-admin.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is directly used in SQL queries. This flaw allows an unauthenticated remote attacker to inject malicious SQL code, potentially manipulating the backend database. Exploitation could lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of the system's data. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. Although the CVSS 4.0 score is 6.9, categorized as medium severity, the potential impact on sensitive customer and order data in an online food ordering context is significant. No patches or fixes have been publicly disclosed yet, and no known exploits are currently observed in the wild, but public disclosure of the exploit details increases the likelihood of future attacks.

For European organizations using the Campcodes Online Food Ordering System 1.0, this vulnerability poses a considerable risk. Attackers could leverage the SQL injection to access sensitive customer information, including personal data and order histories, potentially violating GDPR requirements and leading to regulatory penalties. Data integrity could be compromised by unauthorized modification or deletion of orders, disrupting business operations and damaging customer trust. Availability of the ordering platform could also be affected if attackers execute destructive queries or cause database corruption. Given the critical role of online food ordering systems in hospitality and retail sectors, exploitation could result in financial losses, reputational damage, and operational downtime. The remote and unauthenticated nature of the attack vector further exacerbates the threat, as attackers do not require insider access or user interaction to exploit the vulnerability.

European organizations should immediately conduct an audit to identify any deployments of Campcodes Online Food Ordering System version 1.0. Until an official patch is released, implement the following mitigations: 1) Apply Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the 'ID' parameter in /view-ticket-admin.php to block malicious payloads. 2) Employ input validation and parameterized queries or prepared statements in the application code to prevent injection, if source code access and modification are possible. 3) Restrict database user permissions to the minimum necessary to limit the impact of a successful injection. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Consider isolating or temporarily disabling the vulnerable functionality if feasible. 6) Engage with the vendor for timely patch updates and verify the integrity of software updates before deployment. 7) Educate security teams on this vulnerability to enhance detection and response capabilities.