CVE-2025-4549: SQL Injection in Campcodes Online Food Ordering System
A vulnerability classified as critical was found in Campcodes Online Food Ordering System 1.0. This vulnerability affects unknown code of the file /routers/register-router.php. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-4549 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System. The vulnerability is located in the /routers/register-router.php file, specifically through manipulation of the 'Name' argument. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. The injection occurs because user input is not properly sanitized or parameterized before being incorporated into SQL statements. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially compromising user information, order details, and system integrity. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with no authentication or user interaction required, making exploitation feasible remotely. However, the impact on confidentiality, integrity, and availability is rated as low individually, which collectively results in the medium severity rating. No public exploits are currently known to be in the wild, but the vulnerability details have been disclosed publicly, increasing the risk of exploitation. No patches or mitigation links have been provided by the vendor at this time, which leaves systems running this version exposed. Given the nature of the product—a food ordering system—successful exploitation could lead to unauthorized access to customer data, order manipulation, or disruption of service, which could damage business operations and customer trust.
Potential Impact
For European organizations using Campcodes Online Food Ordering System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and transactional data. Food service providers rely heavily on the availability and trustworthiness of their ordering platforms; a successful SQL injection attack could result in data breaches exposing personal customer information, including names, contact details, and order histories. Additionally, attackers could alter order data or disrupt service availability, leading to operational downtime and financial loss. Given the GDPR regulations in Europe, any data breach involving personal data could result in significant regulatory penalties and reputational damage. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the impact on system availability and data confidentiality is somewhat limited, but still significant enough to warrant urgent attention. Organizations in the food service sector, especially those with online ordering systems integrated into their customer-facing services, should consider this a priority vulnerability to address to maintain compliance and customer trust.
Mitigation Recommendations
Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'Name' parameter in the /routers/register-router.php endpoint. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially the 'Name' field, to ensure that only expected characters and formats are accepted. 3) Employing parameterized queries or prepared statements in the application code to prevent direct injection of user input into SQL commands. 4) Monitoring database and application logs for unusual query patterns or error messages indicative of injection attempts. 5) Restricting database user permissions to the minimum necessary to limit the potential damage of a successful injection. 6) Planning and prioritizing an upgrade or patch deployment once the vendor releases an official fix. 7) Conducting security awareness training for developers and administrators on secure coding practices and vulnerability management. These targeted measures will help reduce the risk of exploitation until a permanent fix is available.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden
CVE-2025-4549: SQL Injection in Campcodes Online Food Ordering System
Description
A vulnerability classified as critical was found in Campcodes Online Food Ordering System 1.0. This vulnerability affects unknown code of the file /routers/register-router.php. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-4549 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System. The vulnerability is located in the /routers/register-router.php file, specifically through manipulation of the 'Name' argument. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. The injection occurs because user input is not properly sanitized or parameterized before being incorporated into SQL statements. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially compromising user information, order details, and system integrity. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with no authentication or user interaction required, making exploitation feasible remotely. However, the impact on confidentiality, integrity, and availability is rated as low individually, which collectively results in the medium severity rating. No public exploits are currently known to be in the wild, but the vulnerability details have been disclosed publicly, increasing the risk of exploitation. No patches or mitigation links have been provided by the vendor at this time, which leaves systems running this version exposed. Given the nature of the product—a food ordering system—successful exploitation could lead to unauthorized access to customer data, order manipulation, or disruption of service, which could damage business operations and customer trust.
Potential Impact
For European organizations using Campcodes Online Food Ordering System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and transactional data. Food service providers rely heavily on the availability and trustworthiness of their ordering platforms; a successful SQL injection attack could result in data breaches exposing personal customer information, including names, contact details, and order histories. Additionally, attackers could alter order data or disrupt service availability, leading to operational downtime and financial loss. Given the GDPR regulations in Europe, any data breach involving personal data could result in significant regulatory penalties and reputational damage. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the impact on system availability and data confidentiality is somewhat limited, but still significant enough to warrant urgent attention. Organizations in the food service sector, especially those with online ordering systems integrated into their customer-facing services, should consider this a priority vulnerability to address to maintain compliance and customer trust.
Mitigation Recommendations
Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'Name' parameter in the /routers/register-router.php endpoint. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially the 'Name' field, to ensure that only expected characters and formats are accepted. 3) Employing parameterized queries or prepared statements in the application code to prevent direct injection of user input into SQL commands. 4) Monitoring database and application logs for unusual query patterns or error messages indicative of injection attempts. 5) Restricting database user permissions to the minimum necessary to limit the potential damage of a successful injection. 6) Planning and prioritizing an upgrade or patch deployment once the vendor releases an official fix. 7) Conducting security awareness training for developers and administrators on secure coding practices and vulnerability management. These targeted measures will help reduce the risk of exploitation until a permanent fix is available.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-05-10T15:39:24.337Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682d9816c4522896dcbd694f
Added to database: 5/21/2025, 9:08:38 AM
Last enriched: 7/12/2025, 3:02:06 AM
Last updated: 8/18/2025, 5:08:41 AM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.