CVE-2025-6358 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /saveorder.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently active in the wild. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of remote exploitation (AV:N), no privileges or user interaction required (PR:N/UI:N), but with limited impact on confidentiality, integrity, and availability (VC:L/VI:L/VA:L). The scope remains unchanged (SC:N), and the exploitability is rated as partially functional (E:P). The vulnerability affects an unknown functionality within the /saveorder.php endpoint, which is likely responsible for processing and saving customer orders. Exploiting this flaw could allow attackers to read, modify, or delete order data or potentially escalate to broader database compromise depending on the backend database permissions and structure. Given the nature of the product—a pizza ordering system—the database likely contains customer order information, potentially including personal data, order history, and possibly payment-related information if integrated. The lack of patches or mitigation links indicates that no official fix has been released yet, increasing the urgency for organizations using this software to implement compensating controls.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer data and order processing. Attackers exploiting the SQL injection could manipulate orders, disrupt service availability, or extract sensitive customer information, leading to reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. The remote and unauthenticated nature of the exploit increases the attack surface, especially for web-facing instances of the application. Given the criticality of food service operations, disruption could also impact business continuity. Although the CVSS score rates the severity as medium, the actual impact could be higher if the backend database contains sensitive personal or payment data. Additionally, the public disclosure of the vulnerability raises the risk of opportunistic attacks targeting smaller or less-secure businesses that rely on this system, which are common in the European hospitality sector.

1. Immediate mitigation should include implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the /saveorder.php endpoint, focusing on suspicious 'ID' parameter values. 2. Conduct a thorough code review and input validation enhancement for the 'ID' parameter and any other user inputs in the application, employing parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user permissions to the minimum necessary, ensuring the application account cannot perform destructive operations beyond its scope. 4. Monitor application logs and database activity for anomalous queries or access patterns indicative of exploitation attempts. 5. If possible, isolate the affected system from direct internet exposure or implement network-level access controls limiting traffic to trusted sources. 6. Engage with the vendor or community to obtain or develop patches or updated versions that address this vulnerability. 7. Educate IT and security teams about this specific threat to increase vigilance and response readiness. 8. As a longer-term measure, consider migrating to more secure, actively maintained ordering systems with robust security practices.