CVE-2025-6361 is a critical SQL Injection vulnerability identified in version 1.0 of the Simple Pizza Ordering System developed by code-projects. The vulnerability exists in the /adds.php file, specifically through the manipulation of the 'userid' parameter. This flaw allows an unauthenticated attacker to remotely inject malicious SQL queries into the backend database. Exploiting this vulnerability can lead to unauthorized access to sensitive data, modification or deletion of database records, and potentially full compromise of the underlying database server. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, low attack complexity, no privileges or user interaction required) but limited impact on confidentiality, integrity, and availability (each rated low). No known exploits are currently reported in the wild, and no patches or mitigations have been officially released yet. The lack of authentication and direct database manipulation capability makes this vulnerability a significant threat to any deployment of this software, especially in environments handling sensitive customer or payment information. The vulnerability's presence in a niche application like a pizza ordering system may limit its widespread impact but does not diminish the risk to affected organizations.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a risk of data breaches involving customer information, order details, and potentially payment data if stored in the same database. Exploitation could result in unauthorized data disclosure, data tampering, and disruption of order processing services, impacting business operations and customer trust. Given the remote and unauthenticated nature of the attack, threat actors could leverage this vulnerability to pivot into broader network compromise, especially if the ordering system is integrated with other internal systems. The impact is particularly critical for small to medium-sized enterprises (SMEs) in the food service sector that may lack robust cybersecurity defenses. Additionally, regulatory compliance risks arise under GDPR due to potential exposure of personal data. While the vulnerability currently lacks known exploits in the wild, the ease of exploitation and critical nature of SQL injection vulnerabilities warrant proactive mitigation to prevent future attacks.

1. Immediate code review and sanitization of the 'userid' parameter in /adds.php to implement parameterized queries or prepared statements, eliminating direct SQL query concatenation. 2. Apply input validation and use whitelist filtering to restrict acceptable input formats for 'userid'. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoint. 4. Isolate the Simple Pizza Ordering System from critical internal networks to limit lateral movement if compromised. 5. Monitor database logs and web server logs for suspicious query patterns or anomalous access attempts related to 'userid'. 6. Plan for an urgent patch or upgrade from the vendor once available; in the interim, consider disabling or restricting access to the vulnerable functionality if feasible. 7. Conduct security awareness training for staff managing the system to recognize signs of exploitation and respond promptly. 8. Regularly back up databases and test restoration procedures to minimize impact in case of data corruption or deletion.