Skip to main content

CVE-2025-4492: SQL Injection in Campcodes Online Food Ordering System

Medium
VulnerabilityCVE-2025-4492cvecve-2025-4492
Published: Fri May 09 2025 (05/09/2025, 21:31:04 UTC)
Source: CVE
Vendor/Project: Campcodes
Product: Online Food Ordering System

Description

A vulnerability, which was classified as critical, has been found in Campcodes Online Food Ordering System 1.0. This issue affects some unknown processing of the file /routers/ticket-message.php. The manipulation of the argument ticket_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/04/2025, 23:28:06 UTC

Technical Analysis

CVE-2025-4492 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System, specifically within the /routers/ticket-message.php file. The vulnerability arises due to improper sanitization or validation of the 'ticket_id' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even full compromise of the database. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although the vulnerability is classified as critical in the description, the CVSS score reflects a medium severity due to limited scope and impact. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability's presence in an online food ordering system suggests that attackers could exploit it to access sensitive customer data, order information, or disrupt service operations.

Potential Impact

For European organizations using the Campcodes Online Food Ordering System 1.0, this vulnerability poses a significant risk to customer data confidentiality and the integrity of order processing. Exploitation could lead to unauthorized disclosure of personal information, including payment details, customer addresses, and order histories, potentially violating GDPR regulations and resulting in legal and financial penalties. Additionally, attackers could manipulate order data, causing operational disruptions and reputational damage. Given the remote and unauthenticated nature of the exploit, attackers can launch attacks at scale, increasing the risk of widespread impact. The availability of the service could also be affected if attackers execute SQL commands that degrade database performance or cause crashes. The lack of patches and public exploit code increases urgency for organizations to implement mitigations promptly.

Mitigation Recommendations

European organizations should immediately audit their use of Campcodes Online Food Ordering System version 1.0 and prioritize upgrading to a patched version once available. In the interim, implement strict input validation and parameterized queries or prepared statements for all database interactions involving 'ticket_id' or similar parameters to prevent injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint. Conduct thorough logging and monitoring of database queries and web application traffic to identify suspicious activities. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Additionally, organizations should review and enhance their incident response plans to address potential data breaches stemming from this vulnerability. Regular security assessments and penetration testing focusing on injection flaws are recommended to detect similar issues proactively.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-09T12:02:24.750Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682d9817c4522896dcbd7305

Added to database: 5/21/2025, 9:08:39 AM

Last enriched: 7/4/2025, 11:28:06 PM

Last updated: 8/17/2025, 1:57:36 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats