CVE-2025-4492 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System, specifically within the /routers/ticket-message.php file. The vulnerability arises due to improper sanitization or validation of the 'ticket_id' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even full compromise of the database. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although the vulnerability is classified as critical in the description, the CVSS score reflects a medium severity due to limited scope and impact. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability's presence in an online food ordering system suggests that attackers could exploit it to access sensitive customer data, order information, or disrupt service operations.

For European organizations using the Campcodes Online Food Ordering System 1.0, this vulnerability poses a significant risk to customer data confidentiality and the integrity of order processing. Exploitation could lead to unauthorized disclosure of personal information, including payment details, customer addresses, and order histories, potentially violating GDPR regulations and resulting in legal and financial penalties. Additionally, attackers could manipulate order data, causing operational disruptions and reputational damage. Given the remote and unauthenticated nature of the exploit, attackers can launch attacks at scale, increasing the risk of widespread impact. The availability of the service could also be affected if attackers execute SQL commands that degrade database performance or cause crashes. The lack of patches and public exploit code increases urgency for organizations to implement mitigations promptly.

European organizations should immediately audit their use of Campcodes Online Food Ordering System version 1.0 and prioritize upgrading to a patched version once available. In the interim, implement strict input validation and parameterized queries or prepared statements for all database interactions involving 'ticket_id' or similar parameters to prevent injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint. Conduct thorough logging and monitoring of database queries and web application traffic to identify suspicious activities. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Additionally, organizations should review and enhance their incident response plans to address potential data breaches stemming from this vulnerability. Regular security assessments and penetration testing focusing on injection flaws are recommended to detect similar issues proactively.