Skip to main content

CVE-2025-4549: SQL Injection in Campcodes Online Food Ordering System

Medium
VulnerabilityCVE-2025-4549cvecve-2025-4549
Published: Sun May 11 2025 (05/11/2025, 22:00:06 UTC)
Source: CVE
Vendor/Project: Campcodes
Product: Online Food Ordering System

Description

A vulnerability classified as critical was found in Campcodes Online Food Ordering System 1.0. This vulnerability affects unknown code of the file /routers/register-router.php. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/12/2025, 03:02:06 UTC

Technical Analysis

CVE-2025-4549 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System. The vulnerability is located in the /routers/register-router.php file, specifically through manipulation of the 'Name' argument. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. The injection occurs because user input is not properly sanitized or parameterized before being incorporated into SQL statements. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially compromising user information, order details, and system integrity. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with no authentication or user interaction required, making exploitation feasible remotely. However, the impact on confidentiality, integrity, and availability is rated as low individually, which collectively results in the medium severity rating. No public exploits are currently known to be in the wild, but the vulnerability details have been disclosed publicly, increasing the risk of exploitation. No patches or mitigation links have been provided by the vendor at this time, which leaves systems running this version exposed. Given the nature of the product—a food ordering system—successful exploitation could lead to unauthorized access to customer data, order manipulation, or disruption of service, which could damage business operations and customer trust.

Potential Impact

For European organizations using Campcodes Online Food Ordering System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and transactional data. Food service providers rely heavily on the availability and trustworthiness of their ordering platforms; a successful SQL injection attack could result in data breaches exposing personal customer information, including names, contact details, and order histories. Additionally, attackers could alter order data or disrupt service availability, leading to operational downtime and financial loss. Given the GDPR regulations in Europe, any data breach involving personal data could result in significant regulatory penalties and reputational damage. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the impact on system availability and data confidentiality is somewhat limited, but still significant enough to warrant urgent attention. Organizations in the food service sector, especially those with online ordering systems integrated into their customer-facing services, should consider this a priority vulnerability to address to maintain compliance and customer trust.

Mitigation Recommendations

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'Name' parameter in the /routers/register-router.php endpoint. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially the 'Name' field, to ensure that only expected characters and formats are accepted. 3) Employing parameterized queries or prepared statements in the application code to prevent direct injection of user input into SQL commands. 4) Monitoring database and application logs for unusual query patterns or error messages indicative of injection attempts. 5) Restricting database user permissions to the minimum necessary to limit the potential damage of a successful injection. 6) Planning and prioritizing an upgrade or patch deployment once the vendor releases an official fix. 7) Conducting security awareness training for developers and administrators on secure coding practices and vulnerability management. These targeted measures will help reduce the risk of exploitation until a permanent fix is available.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-10T15:39:24.337Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682d9816c4522896dcbd694f

Added to database: 5/21/2025, 9:08:38 AM

Last enriched: 7/12/2025, 3:02:06 AM

Last updated: 8/1/2025, 2:38:50 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats