CVE-2025-4549 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Food Ordering System. The vulnerability is located in the /routers/register-router.php file, specifically through manipulation of the 'Name' argument. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. The injection occurs because user input is not properly sanitized or parameterized before being incorporated into SQL statements. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially compromising user information, order details, and system integrity. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with no authentication or user interaction required, making exploitation feasible remotely. However, the impact on confidentiality, integrity, and availability is rated as low individually, which collectively results in the medium severity rating. No public exploits are currently known to be in the wild, but the vulnerability details have been disclosed publicly, increasing the risk of exploitation. No patches or mitigation links have been provided by the vendor at this time, which leaves systems running this version exposed. Given the nature of the product—a food ordering system—successful exploitation could lead to unauthorized access to customer data, order manipulation, or disruption of service, which could damage business operations and customer trust.

For European organizations using Campcodes Online Food Ordering System 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and transactional data. Food service providers rely heavily on the availability and trustworthiness of their ordering platforms; a successful SQL injection attack could result in data breaches exposing personal customer information, including names, contact details, and order histories. Additionally, attackers could alter order data or disrupt service availability, leading to operational downtime and financial loss. Given the GDPR regulations in Europe, any data breach involving personal data could result in significant regulatory penalties and reputational damage. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the impact on system availability and data confidentiality is somewhat limited, but still significant enough to warrant urgent attention. Organizations in the food service sector, especially those with online ordering systems integrated into their customer-facing services, should consider this a priority vulnerability to address to maintain compliance and customer trust.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'Name' parameter in the /routers/register-router.php endpoint. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially the 'Name' field, to ensure that only expected characters and formats are accepted. 3) Employing parameterized queries or prepared statements in the application code to prevent direct injection of user input into SQL commands. 4) Monitoring database and application logs for unusual query patterns or error messages indicative of injection attempts. 5) Restricting database user permissions to the minimum necessary to limit the potential damage of a successful injection. 6) Planning and prioritizing an upgrade or patch deployment once the vendor releases an official fix. 7) Conducting security awareness training for developers and administrators on secure coding practices and vulnerability management. These targeted measures will help reduce the risk of exploitation until a permanent fix is available.