CVE-2025-4491 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System. The vulnerability exists in the /routers/ticket-status.php file, specifically through the manipulation of the 'ticket_id' parameter. An attacker can remotely exploit this flaw without any authentication or user interaction, by injecting malicious SQL code into the 'ticket_id' argument. This can lead to unauthorized access, modification, or deletion of database information, potentially compromising the confidentiality, integrity, and availability of the system's data. The vulnerability is classified with a CVSS 4.0 base score of 6.9, indicating a medium severity level, primarily due to limited impact on confidentiality, integrity, and availability (all rated low to limited). No privileges or user interaction are required, and the attack vector is network-based, making exploitation feasible remotely. Although no public exploits are currently known to be in the wild, the disclosure of the vulnerability increases the risk of exploitation. The lack of available patches or mitigations from the vendor further exacerbates the threat landscape for users of this software.

For European organizations utilizing the Campcodes Online Food Ordering System 1.0, this vulnerability poses a significant risk to their operational security and customer data privacy. Exploitation could lead to unauthorized data access, including customer order information, payment details, or internal ticketing data, potentially resulting in data breaches and regulatory non-compliance under GDPR. The integrity of order processing could be compromised, leading to fraudulent orders or denial of service conditions affecting business continuity. Given the critical nature of food ordering systems in retail and hospitality sectors, disruption could impact customer trust and revenue. Additionally, compromised systems could be leveraged as pivot points for broader network intrusion. The medium CVSS score suggests limited but tangible impact, but the ease of exploitation without authentication raises concern for rapid spread among vulnerable deployments.

Organizations should immediately audit their deployments of Campcodes Online Food Ordering System to identify any instances of version 1.0. Until an official patch is released, it is critical to implement web application firewall (WAF) rules specifically targeting SQL injection attempts on the 'ticket_id' parameter in /routers/ticket-status.php. Input validation and parameterized queries should be enforced if source code access is available. Network segmentation and strict access controls should limit exposure of the affected system to untrusted networks. Monitoring and logging of database queries and web requests should be enhanced to detect anomalous activities indicative of exploitation attempts. Organizations should also prepare incident response plans for potential data breaches stemming from this vulnerability. Engaging with the vendor for timely patch releases and updates is essential. If feasible, migrating to alternative food ordering platforms with better security postures should be considered.