CVE-2025-6364 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Pizza Ordering System, specifically within the /adduser-exec.php file. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, which an attacker can manipulate to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability's CVSS 4.0 score is 6.9 (medium severity), reflecting its network attack vector, low attack complexity, and no need for privileges or user interaction. The impact on confidentiality, integrity, and availability is rated as low individually but combined can lead to significant data exposure or manipulation. The lack of authentication requirements and remote exploitability make this vulnerability particularly dangerous. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a high-risk target for attackers seeking to compromise ordering systems, extract sensitive customer data, or disrupt business operations. The Simple Pizza Ordering System is a web-based application used for managing pizza orders and user accounts, and exploitation could lead to unauthorized data access, data modification, or denial of service through database corruption or manipulation.

For European organizations using the Simple Pizza Ordering System 1.0, this vulnerability poses a significant risk to customer data confidentiality and system integrity. Attackers could extract personally identifiable information (PII), payment details, or order histories, leading to privacy violations and regulatory non-compliance under GDPR. Integrity impacts include unauthorized modification of orders or user accounts, potentially disrupting business processes and damaging customer trust. Availability could be affected if attackers execute commands that corrupt or lock database tables, causing service outages. Given the remote and unauthenticated nature of the exploit, attackers can operate from anywhere, increasing the threat surface. Small to medium-sized enterprises (SMEs) in the food service sector, which often rely on off-the-shelf or open-source ordering systems, are particularly vulnerable. The reputational damage and potential fines from data breaches could be substantial. Additionally, attackers could use compromised systems as footholds for further network intrusion or lateral movement within organizational IT infrastructure.

1. Immediate upgrade or patching: Organizations should check for any official patches or updates from code-projects addressing this vulnerability. If none are available, consider upgrading to a newer, secure version or alternative software. 2. Input validation and parameterized queries: Modify the /adduser-exec.php code to implement strict input validation on the 'Username' parameter and use prepared statements or parameterized queries to prevent SQL injection. 3. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block SQL injection attempts targeting the vulnerable endpoint. 4. Network segmentation: Isolate the ordering system from critical internal networks to limit potential lateral movement in case of compromise. 5. Monitoring and logging: Enable detailed logging of database queries and web requests to detect suspicious activities indicative of exploitation attempts. 6. Incident response readiness: Prepare for potential incidents by having response plans and backups to restore affected systems quickly. 7. Vendor engagement: Engage with the software vendor or community to encourage timely release of patches and security advisories. 8. User awareness: Educate staff on the risks of using outdated software and the importance of timely updates.