CVE-2025-6363 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /adding-exec.php file. The vulnerability arises from improper sanitization or validation of the 'ingname' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This can lead to unauthorized data disclosure, modification, or deletion, and may also enable further attacks such as privilege escalation or remote code execution depending on the database and application context. The vulnerability requires no authentication or user interaction and can be exploited over the network, increasing its risk profile. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is rated as low individually but combined could be significant depending on the database contents and application use. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability affects only version 1.0 of the product, which is a niche web-based pizza ordering system likely used by small to medium-sized food service businesses.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a tangible risk of data breaches and service disruption. Exploitation could lead to exposure of customer data, including order details and potentially payment information if stored insecurely. This could result in reputational damage, regulatory penalties under GDPR for data protection failures, and financial losses. The integrity of order processing could be compromised, leading to incorrect orders or denial of service. Given the remote exploitability without authentication, attackers could automate attacks at scale, targeting multiple vulnerable installations. However, the limited market penetration of this specific product and the absence of known exploits reduce the immediate widespread risk. Nonetheless, organizations relying on this system should consider the threat seriously, especially those handling sensitive customer data or operating in jurisdictions with strict data protection laws.

Organizations should immediately audit their use of the Simple Pizza Ordering System 1.0 and identify any exposed instances of /adding-exec.php. Since no official patch is currently available, mitigation should focus on implementing web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'ingname' parameter. Input validation and parameterized queries should be enforced at the application level if source code access is possible. Network segmentation and limiting external access to the ordering system can reduce exposure. Monitoring logs for unusual query patterns or errors related to SQL injection attempts is critical. Additionally, organizations should plan to upgrade to a patched version once available or consider migrating to alternative, actively maintained ordering systems with secure coding practices. Regular backups of the database should be maintained to enable recovery in case of data tampering.