CVE-2025-6360 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /portal.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which an attacker can manipulate remotely without authentication or user interaction. This allows the attacker to inject malicious SQL queries directly into the backend database. Exploiting this flaw can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the system's data. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting its network attack vector, low attack complexity, and no required privileges or user interaction. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The affected product is a niche web-based pizza ordering system, likely deployed by small to medium-sized food service businesses. The vulnerability's exploitation could allow attackers to extract sensitive customer data, manipulate orders, or disrupt service operations, impacting business continuity and customer trust.

For European organizations, especially small and medium enterprises (SMEs) in the food service sector using the Simple Pizza Ordering System, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to customer personal data, including payment information if stored, violating GDPR regulations and resulting in legal and financial penalties. Data integrity could be compromised by altering orders or menu information, leading to operational disruptions and reputational damage. Availability may also be affected if attackers execute destructive SQL commands, causing service outages. Given the remote and unauthenticated nature of the attack, the threat surface is broad, potentially affecting any exposed installations. The medium CVSS score indicates moderate but tangible risk, emphasizing the need for timely remediation to prevent data breaches and service interruptions.

To mitigate this vulnerability, organizations should immediately implement input validation and parameterized queries (prepared statements) in the /portal.php file to prevent SQL injection attacks. Since no official patch is currently available, developers should review and refactor the code handling the 'ID' parameter to ensure strict type checking and sanitization. Deploying a Web Application Firewall (WAF) with SQL injection detection rules can provide an additional protective layer by blocking malicious payloads targeting the vulnerable endpoint. Regularly monitoring web server logs for suspicious query patterns related to the 'ID' parameter can help detect attempted exploits early. Organizations should also conduct security audits and penetration testing focused on injection flaws. Finally, isolating the affected system within the network and restricting external access until remediation is complete can reduce exposure.